New Logon Type for User

New Logon Type for User

Description

Windows defines several logon types (Interactive, RemoteInteractive, Network, etc.). Established users rarely generate new logon types. This search will look for that scenario. (MITRE CAR Reference)

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection, Security Monitoring, Compliance

Category

Account Compromise

Alert Volume

Low

SPL Difficulty

Medium

Data Availability

Bad

Journey

Stage 1

MITRE ATT&CK Tactics

Privilege Escalation
Persistence

MITRE ATT&CK Techniques

Valid Accounts

MITRE Threat Groups

Chimera
APT39
FIN4
FIN5
FIN10
Soft Cell
Night Dragon
TEMP.Veles
Leviathan
Dragonfly 2.0
Wizard Spider
OilRig
APT41
Suckfly
Silence
FIN6
Threat Group-3390
APT18
menuPass
APT28
Sandworm Team
PittyTiger
FIN8
Carbanak
APT33

Kill Chain Phases

Installation

Data Sources

Windows Security

   How to Implement

Implementation of this example (or any of the First Time Seen examples) is generally very simple.

  • Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted.
  • Save the search.

For most environments, these searches can be run once a day, often overnight, without worrying too much about a slow search. If you wish to run this search more frequently, or if this search is too slow for your environment, we recommend leveraging a lookup cache. For more on this, see the lookup cache dropdown below and select the sample item. A window will pop up telling you more about this feature.

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

You should not review these alerts directly (except for high sensitivity accounts), but instead use them for context, or to aggregate risk (as mentioned under How To Respond).

   How To Respond

When this search returns values, initiate your incident response process and capture the time of the event creation, as well as the user account and systems that were logged into and in the case of remote login, where they initiated the logon from, credentials that were used, process executed and other pertinent information. Contact the user and owner of the system. If it is authorized behavior, document that this is authorized and by whom. If not, the user credentials may have been used by another party and additional investigation is warranted.

   Help

New Logon Type for User Help

This example leverages the Detect New Values search assistant. Our dataset is a anonymized collection of logon events. We check the first time that each user has performed each logon type and then alert if that was in the last day.

SPL for New Logon Type for User

Demo Data

First we pull in our demo dataset.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
Next we calculate the most recent value in our demo dataset
We end by seeing if the earliest time we've seen this value is within the last day of the end of our demo dataset.

Live Data

First we pull in our dataset of Windows Authentication where there is a Logon_Type defined.
Then we use table to include just the fields we're apt to care about. (Technically we need to use | table for this app because we show you the intermediate results, but in production you should drop this line because it will reduce search performance.)
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.