Rule Description
This rule detects interactive logons outside of specified “business hours” using a regular expression pattern against the WEL UTC creation time of the event. Be sure to adjust the pattern for the correct range of your expected logon times. The example below looks for logons outside of 9am - 5pm UTC.
Detect
event: WEL
op: and
rules:
- op: is
path: event/EVENT/System/EventID
value: '4624'
- op: is
path: event/EVENT/System/Channel
value: Security
- op: matches
path: event/EVENT/System/TimeCreated/SystemTime
re: 'T(?:0[0-8]|1[89]|2[0-3]|17:[0-5][0-9]):[0-5][0-9]'
- op: or
rules:
- op: matches
path: event/EVENT/EventData/LogonType
re: '^(2|7|10|11)$'
Respond
- action: report
name: Interactive Logon Outside of Working Hours
Test Event Target(s)
A sample that would fire a detection
{
"event": {
"EVENT": {
"EventData": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "192.168.1.100",
"IpPort": "3389",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "User32",
"LogonType": "10",
"ProcessId": "0x4c0",
"ProcessName": "C:\\Windows\\System32\\winlogon.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "DOMAIN",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "SERVER-NAME$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "DOMAIN",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x19f4c",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "Administrator",
"TargetUserSid": "S-1-5-21-0000000000-0000000000-0000000000-500",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "WORKSTATION-NAME"
},
"System": {
"Channel": "Security",
"Computer": "server-name.domain.com",
"Correlation": {
"ActivityID": "{8f3130a4-6d64-0001-9a15-37e4707edb01}"
},
"EventID": "4624",
"EventRecordID": "532823",
"Execution": {
"ProcessID": "660",
"ThreadID": "5632"
},
"Keywords": "0x8020000000000000",
"Level": "0",
"Opcode": "0",
"Provider": {
"Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"Name": "Microsoft-Windows-Security-Auditing"
},
"Security": "",
"Task": "12544",
"TimeCreated": {
"SystemTime": "2025-03-07T17:57:50.9031348Z"
},
"Version": "2",
"_event_id": "4624"
}
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "44a09eb5-e828-4563-9fa0-11503bb8d8b8",
"event_time": 1741370271894,
"event_type": "WEL",
"ext_ip": "203.0.113.10",
"hostname": "server-name.domain.com",
"iid": "6e904fad-a376-45fa-a667-4b2454de7b7b",
"int_ip": "10.0.0.1",
"latency": 25,
"moduleid": 2,
"oid": "df2eb9e5-12b8-454c-b75e-5bc8699eef23",
"plat": 268435456,
"sid": "193f72c4-450b-4644-b2f0-79a1558f9eae",
"tags": [
"windows"
],
"this": "083318d3955b9ecaed013ff067cb339f"
},
"ts": "2025-03-07 17:57:51"
}
A sample that would not
{
"event": {
"EVENT": {
"EventData": {
"AuthenticationPackageName": "Negotiate",
"ElevatedToken": "%%1842",
"ImpersonationLevel": "%%1833",
"IpAddress": "192.168.1.100",
"IpPort": "3389",
"KeyLength": "0",
"LmPackageName": "-",
"LogonGuid": "{00000000-0000-0000-0000-000000000000}",
"LogonProcessName": "User32",
"LogonType": "10",
"ProcessId": "0x4c0",
"ProcessName": "C:\\Windows\\System32\\winlogon.exe",
"RestrictedAdminMode": "-",
"SubjectDomainName": "DOMAIN",
"SubjectLogonId": "0x3e7",
"SubjectUserName": "SERVER-NAME$",
"SubjectUserSid": "S-1-5-18",
"TargetDomainName": "DOMAIN",
"TargetLinkedLogonId": "0x0",
"TargetLogonId": "0x19f4c",
"TargetOutboundDomainName": "-",
"TargetOutboundUserName": "-",
"TargetUserName": "Administrator",
"TargetUserSid": "S-1-5-21-0000000000-0000000000-0000000000-500",
"TransmittedServices": "-",
"VirtualAccount": "%%1843",
"WorkstationName": "WORKSTATION-NAME"
},
"System": {
"Channel": "Security",
"Computer": "server-name.domain.com",
"Correlation": {
"ActivityID": "{8f3130a4-6d64-0001-9a15-37e4707edb01}"
},
"EventID": "4624",
"EventRecordID": "532823",
"Execution": {
"ProcessID": "660",
"ThreadID": "5632"
},
"Keywords": "0x8020000000000000",
"Level": "0",
"Opcode": "0",
"Provider": {
"Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"Name": "Microsoft-Windows-Security-Auditing"
},
"Security": "",
"Task": "12544",
"TimeCreated": {
"SystemTime": "2025-03-07T16:30:12.9031348Z"
},
"Version": "2",
"_event_id": "4624"
}
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "44a09eb5-e828-4563-9fa0-11503bb8d8b8",
"event_time": 1741370271894,
"event_type": "WEL",
"ext_ip": "203.0.113.10",
"hostname": "server-name.domain.com",
"iid": "6e904fad-a376-45fa-a667-4b2454de7b7b",
"int_ip": "10.0.0.1",
"latency": 25,
"moduleid": 2,
"oid": "df2eb9e5-12b8-454c-b75e-5bc8699eef23",
"plat": 268435456,
"sid": "193f72c4-450b-4644-b2f0-79a1558f9eae",
"tags": [
"windows"
],
"this": "083318d3955b9ecaed013ff067cb339f"
},
"ts": "2025-03-07 17:57:51"
}
