hunting/windows/docs/windows_logon_activity_by_source_ip.md

# Windows Logon Activity by Source IP

---

## Metadata

- **Author:** Elastic
- **Description:** This hunt returns a summary of network logon activity by `source.ip` using Windows event IDs 4624 and 4625. The higher the number of failures, low success and multiple accounts the more suspicious the behavior is.

- **UUID:** `441fba85-47a9-4f1f-aab4-569bbfdc548b`
- **Integration:** [system](https://docs.elastic.co/integrations/system)
- **Language:** `[ES|QL]`
- **Source File:** [Windows Logon Activity by Source IP](../queries/windows_logon_activity_by_source_ip.toml)

## Query

```sql
from logs-system.security-*
| where  @timestamp > now() - 7 day
| where host.os.family == "windows" and
  event.category == "authentication" and event.action in ("logon-failed", "logged-in") and winlog.logon.type == "Network" and
  source.ip is not null and
  /* noisy failure status codes often associated to authentication misconfiguration */
  not (event.action == "logon-failed" and winlog.event_data.Status in ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192"))
| eval failed = case(event.action == "logon-failed", source.ip, null), success = case(event.action == "logged-in", source.ip, null)
| stats count_failed = count(failed), count_success = count(success), count_user = count_distinct(winlog.event_data.TargetUserName) by source.ip
 /* below threshold should be adjusted to your env logon patterns */
| where count_failed >= 100 and count_success <= 10 and count_user >= 20
```

## Notes

- Pay close attention to IP address sources with a high number of failed connections associated with low success attempts and high number of user accounts.

## MITRE ATT&CK Techniques

- [T1110](https://attack.mitre.org/techniques/T1110)
- [T1110.001](https://attack.mitre.org/techniques/T1110/001)
- [T1110.003](https://attack.mitre.org/techniques/T1110/003)

## License

- `Elastic License v2`
[Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791 ) 2024-06-25 09:35:36 -04:00			`# Windows Logon Activity by Source IP`
[New hunts] 50 ES\|QL Windows Hunt Queries (#3642 ) 2024-06-12 09:09:09 -07:00
			`---`

			`## Metadata`

			`- Author: Elastic`
[Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791 ) 2024-06-25 09:35:36 -04:00			- Description: This hunt returns a summary of network logon activity by `source.ip` using Windows event IDs 4624 and 4625. The higher the number of failures, low success and multiple accounts the more suspicious the behavior is.

[New Hunt] Add Initial Linux Hunting Files (#3847 ) 2024-07-05 14:01:12 -04:00			- UUID: `441fba85-47a9-4f1f-aab4-569bbfdc548b`
[New hunts] 50 ES\|QL Windows Hunt Queries (#3642 ) 2024-06-12 09:09:09 -07:00			`- Integration: [system](https://docs.elastic.co/integrations/system)`
[New Hunt] Add Initial Linux Hunting Files (#3847 ) 2024-07-05 14:01:12 -04:00			- Language: `[ES\|QL]`
[Bug] Normalize Hunting Index Link Generation (#3872 ) 2024-07-10 11:01:59 -04:00			`- Source File: [Windows Logon Activity by Source IP](../queries/windows_logon_activity_by_source_ip.toml)`
[New hunts] 50 ES\|QL Windows Hunt Queries (#3642 ) 2024-06-12 09:09:09 -07:00
			`## Query`

			```sql
			`from logs-system.security-*`
			`\| where @timestamp > now() - 7 day`
[Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791 ) 2024-06-25 09:35:36 -04:00			`\| where host.os.family == "windows" and`
			`event.category == "authentication" and event.action in ("logon-failed", "logged-in") and winlog.logon.type == "Network" and`
			`source.ip is not null and`
			`/* noisy failure status codes often associated to authentication misconfiguration */`
[New hunts] 50 ES\|QL Windows Hunt Queries (#3642 ) 2024-06-12 09:09:09 -07:00			`not (event.action == "logon-failed" and winlog.event_data.Status in ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192"))`
			`\| eval failed = case(event.action == "logon-failed", source.ip, null), success = case(event.action == "logged-in", source.ip, null)`
			`\| stats count_failed = count(failed), count_success = count(success), count_user = count_distinct(winlog.event_data.TargetUserName) by source.ip`
			`/* below threshold should be adjusted to your env logon patterns */`
			`\| where count_failed >= 100 and count_success <= 10 and count_user >= 20`
			```

			`## Notes`

[Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791 ) 2024-06-25 09:35:36 -04:00			`- Pay close attention to IP address sources with a high number of failed connections associated with low success attempts and high number of user accounts.`
[Bug] Normalize Hunting Index Link Generation (#3872 ) 2024-07-10 11:01:59 -04:00
[New hunts] 50 ES\|QL Windows Hunt Queries (#3642 ) 2024-06-12 09:09:09 -07:00			`## MITRE ATT&CK Techniques`

			`- [T1110](https://attack.mitre.org/techniques/T1110)`
			`- [T1110.001](https://attack.mitre.org/techniques/T1110/001)`
			`- [T1110.003](https://attack.mitre.org/techniques/T1110/003)`

			`## License`

			- `Elastic License v2`