AD query for successful login from multiple IP’s

Follow

Terence Jackson

• October 05, 2017 21:38

I’m tryin to right a query search for successful users logins from multiple ip addresses within a 5 minute interval. There is a similar one for Azure , but I haven’t been successful in one for AD. Any assistance is appreciated. 

1

• Official comment

  

  Nick Wilson

  • October 06, 2017 21:53
  • Edited

  Hi Terence,
  
  Something like this should get you started:
  
  

  _sourceCategory=Labs/OSSEC "authentication_success"

  | parse "User: * " as user

  | parse ") * ->" as ip_address

  | timeslice 5m 

  | count_distinct (ip_address) group by _timeslice, user
  | where _count_distinct > 1
  
  Can you try that out and let me know? Also, I encourage you to use a larger timeslice so that you have a higher chance of identifying violations. For example, if someone logs in from two different IP addresses within 10 minutes of each other, it wouldn't be identified here.
  
  Thanks,
  Nick

  Comment actions Permalink
• 

  Gabby Ariza

  • November 10, 2021 20:35

  Nick,

  Do you have one for Office 365?

  0

  Comment actions Permalink

Please sign in to leave a comment.