CrowdStrike Searches

User Login Success

index=main sourcetype=UserLogon* event_simpleName=UserLogon event_platform=win 
| search UserName="USERNAME" ```Add your UserName here```
| eval LogonType=case(LogonType_decimal="2", "Interactive", LogonType_decimal="3", "Network", LogonType_decimal="4", "Batch", LogonType_decimal="5", "Service", LogonType_decimal="6", "Proxy", LogonType_dgecimal="7", "Unlock", LogonType_decimal="8", "Network Cleartext", LogonType_decimal="9", "New Credentials", LogonType_decimal="10", "RDP", LogonType_decimal="11", "Cached Credentials", LogonType_decimal="12", "Auditing", LogonType_decimal="13", "Unlock Workstation")
| table _time, UserName, ComputerName, LocalAddressIP4, LogonType, LogonDomain

User Login Failed

index=main sourcetype=UserLogon* event_simpleName=UserLogonFailed* event_platform=win SubStatus_decimal!=0
| search UserName="USERNAME" ```Add your UserName here```
| eval SubStatus_decimal=tostring(SubStatus_decimal,"hex")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000064", "User name does not exist")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC000006A", "User name is correct but the password is wrong")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000234", "User is currently locked out")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000072", "Account is currently disabled")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC000006F", "User tried to logon outside his day of week or time of day restrictions")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000070", "Workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller)")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000193", "Account expiration")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000071", "Expired password")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000133", "Clocks between DC and other computer too far out of sync")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000224", "User is required to change password at next logon")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000225", "Evidently a bug in Windows and not a risk")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xc000015b", "The user has not been granted the requested logon type (aka logon right) at this machine")
| eval SubStatus_decimal=replace(SubStatus_decimal,"0xC000006E", "Unknown user name or bad password")
| eval LogonType=case(LogonType_decimal="2", "Interactive", LogonType_decimal="3", "Network", LogonType_decimal="4", "Batch", LogonType_decimal="5", "Service", LogonType_decimal="6", "Proxy", LogonType_dgecimal="7", "Unlock", LogonType_decimal="8", "Network Cleartext", LogonType_decimal="9", "New Credentials", LogonType_decimal="10", "RDP", LogonType_decimal="11", "Cached Credentials", LogonType_decimal="12", "Auditing", LogonType_decimal="13", "Unlock Workstation")
| table _time, UserName, ComputerName, LocalAddressIP4, LogonType, SubStatus_decimal, LogonDomain
| sort - failedCount

RDP to Host

event_platform=win event_simpleName=UserLogon RemoteAddressIP4!="" LogonType_decimal=10
| search (UserName="USERNAME" OR ComputerName="COMPUTERNAME") ```Change the user or hostname. If only one is present, use a *.```
| stats dc(RemoteAddressIP4) AS "Unique IPs" count(RemoteAddressIP4) AS "Connection Count" values(RemoteAddressIP4) by aid , ComputerName, UserName, UserSid_readable 
| sort -"Connection Count" 
| rename aid AS "Agent ID", values(RemoteAddressIP4) AS "Connecting IP"

RDP from Host

index=main event_platform=win sourcetype IN (NetworkConnectIP4*, ProcessRollup2*) (event_simpleName=NetworkConnectIP4 AND RPort=3389) OR event_simpleName=ProcessRollup2
| search (UserName="USERNAME" OR ComputerName="COMPUTERNAME") ```Change the user or hostname. If only one is present, use a *.```
| eval falconPID=coalesce(TargetProcessId_decimal, ContextProcessId_decimal)
| stats dc(event_simpleName) as eventCount, earliest(ContextTimeStamp_decimal) as ConnectionTime, values(ComputerName) as ComputerName, values(FileName) as FileName, values(CommandLine) as CommandLine, values(RemoteIP) as RemoteIP, values(RPort) as RemotePort by aid, falconPID
| where eventCount > 1
| table ConnectionTime, ComputerName, FileName, falconPID, CommandLine, RemotePort, RemoteIP
| convert ctime(ConnectionTime)

SSO Requests

index=main sourcetype=SsoApplication* event_simpleName=SsoApplicationAccess
| search SourceAccountUserName="USERNAME" ```Change the username```
| rename event_err as "Event Error?"
| rename _time as Time
| rename SourceAccountUserName as UserName
| rename SourceEndpointAddressIP4 as "Source IP"
| rename SsoApplicationIdentifier as "SSO Application"
| rename ClientUserAgentString as "User Agent"
| table Time, UserName, "Source IP", "SSO Application","User Agent",  "Event Error?"

PreviousRouge Local Accounts NextEvent Name - UserLogon

Last updated 1 year ago

Was this helpful?

index=main sourcetype=UserLogon* event_simpleName=UserLogon event_platform=win | search UserName="USERNAME" ```Add your UserName here``` | eval LogonType=case(LogonType_decimal="2", "Interactive", LogonType_decimal="3", "Network", LogonType_decimal="4", "Batch", LogonType_decimal="5", "Service", LogonType_decimal="6", "Proxy", LogonType_dgecimal="7", "Unlock", LogonType_decimal="8", "Network Cleartext", LogonType_decimal="9", "New Credentials", LogonType_decimal="10", "RDP", LogonType_decimal="11", "Cached Credentials", LogonType_decimal="12", "Auditing", LogonType_decimal="13", "Unlock Workstation") | table _time, UserName, ComputerName, LocalAddressIP4, LogonType, LogonDomain

index=main sourcetype=UserLogon* event_simpleName=UserLogonFailed* event_platform=win SubStatus_decimal!=0 | search UserName="USERNAME" ```Add your UserName here``` | eval SubStatus_decimal=tostring(SubStatus_decimal,"hex") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000064", "User name does not exist") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC000006A", "User name is correct but the password is wrong") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000234", "User is currently locked out") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000072", "Account is currently disabled") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC000006F", "User tried to logon outside his day of week or time of day restrictions") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000070", "Workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller)") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000193", "Account expiration") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000071", "Expired password") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000133", "Clocks between DC and other computer too far out of sync") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000224", "User is required to change password at next logon") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC0000225", "Evidently a bug in Windows and not a risk") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xc000015b", "The user has not been granted the requested logon type (aka logon right) at this machine") | eval SubStatus_decimal=replace(SubStatus_decimal,"0xC000006E", "Unknown user name or bad password") | eval LogonType=case(LogonType_decimal="2", "Interactive", LogonType_decimal="3", "Network", LogonType_decimal="4", "Batch", LogonType_decimal="5", "Service", LogonType_decimal="6", "Proxy", LogonType_dgecimal="7", "Unlock", LogonType_decimal="8", "Network Cleartext", LogonType_decimal="9", "New Credentials", LogonType_decimal="10", "RDP", LogonType_decimal="11", "Cached Credentials", LogonType_decimal="12", "Auditing", LogonType_decimal="13", "Unlock Workstation") | table _time, UserName, ComputerName, LocalAddressIP4, LogonType, SubStatus_decimal, LogonDomain | sort - failedCount

event_platform=win event_simpleName=UserLogon RemoteAddressIP4!="" LogonType_decimal=10 | search (UserName="USERNAME" OR ComputerName="COMPUTERNAME") ```Change the user or hostname. If only one is present, use a *.``` | stats dc(RemoteAddressIP4) AS "Unique IPs" count(RemoteAddressIP4) AS "Connection Count" values(RemoteAddressIP4) by aid , ComputerName, UserName, UserSid_readable | sort -"Connection Count" | rename aid AS "Agent ID", values(RemoteAddressIP4) AS "Connecting IP"

index=main event_platform=win sourcetype IN (NetworkConnectIP4*, ProcessRollup2*) (event_simpleName=NetworkConnectIP4 AND RPort=3389) OR event_simpleName=ProcessRollup2 | search (UserName="USERNAME" OR ComputerName="COMPUTERNAME") ```Change the user or hostname. If only one is present, use a *.``` | eval falconPID=coalesce(TargetProcessId_decimal, ContextProcessId_decimal) | stats dc(event_simpleName) as eventCount, earliest(ContextTimeStamp_decimal) as ConnectionTime, values(ComputerName) as ComputerName, values(FileName) as FileName, values(CommandLine) as CommandLine, values(RemoteIP) as RemoteIP, values(RPort) as RemotePort by aid, falconPID | where eventCount > 1 | table ConnectionTime, ComputerName, FileName, falconPID, CommandLine, RemotePort, RemoteIP | convert ctime(ConnectionTime)

index=main sourcetype=SsoApplication* event_simpleName=SsoApplicationAccess | search SourceAccountUserName="USERNAME" ```Change the username``` | rename event_err as "Event Error?" | rename _time as Time | rename SourceAccountUserName as UserName | rename SourceEndpointAddressIP4 as "Source IP" | rename SsoApplicationIdentifier as "SSO Application" | rename ClientUserAgentString as "User Agent" | table Time, UserName, "Source IP", "SSO Application","User Agent", "Event Error?"