In the dynamic realm of cybersecurity, meticulous monitoring of successful login events is essential for spotting potential anomalies. This article delves into the criteria and rule formulation for anomaly detection within Event ID 4624, specifically focusing on successful login activities:
1. Event ID 4624, LogonType 10, and Source Address 127... or ::1 (Loopback Address):
Criteria:
Event ID 4624.
LogonType 10.
Source address 127...* or ::1 (loopback address).
Significance:
Monitor successful logins initiated remotely via a loopback address, often indicating RDP tunneling. Attackers might employ a separate protocol to tunnel network communication, preventing detection and gaining access to otherwise unreachable systems.
2. Event ID 4624, LogonType 10, and Source Address Not Private IP:
Criteria:
Event ID 4624.
LogonType 10.
Source address not within the company's subnet.
Significance:
Track successful logins originating from a remote system with an address outside your company's subnet.
3. Event ID 4624, LogonType 10 or 3, Same Username, Different Source Address within 5 Minutes:
Criteria:
Event ID 4624.
LogonType 10 or 3.
Same username.
Different source addresses.
Within a 5-minute timeframe.
Significance:
Monitor successful logins with the same username but from different source IP addresses over the network or from a remote system within a 5-minute window.
Bonus: Successful Logins Following a Specified Number of Failed Attempts within a Defined
Timeframe:
Criteria:
Track a specified number of failed login attempts.
Followed by successful login events.
Within a defined timeframe.
Significance:
After a notable number of failed login attempts, closely monitor and analyze successful login events within a specific timeframe. This can be indicative of a persistent threat.
By implementing and regularly reviewing these anomaly detection rules, organizations can fortify their cybersecurity defenses, maintaining a proactive stance against potential threats associated with successful login events. Remember, continuous vigilance and adaptive rule formulations are crucial to staying one step ahead in the dynamic realm of cybersecurity.
Comments