Outside Business Hours Logon Detection

Community Exchange Detection & Response Rules
,
1

Rule Description
This rule detects interactive logons outside of specified “business hours” using a regular expression pattern against the WEL UTC creation time of the event. Be sure to adjust the pattern for the correct range of your expected logon times. The example below looks for logons outside of 9am - 5pm UTC.

Detect

event: WEL
op: and
rules:
  - op: is
    path: event/EVENT/System/EventID
    value: '4624'
  - op: is
    path: event/EVENT/System/Channel
    value: Security
  - op: matches
    path: event/EVENT/System/TimeCreated/SystemTime
    re: 'T(?:0[0-8]|1[89]|2[0-3]|17:[0-5][0-9]):[0-5][0-9]'
  - op: or
    rules:
    - op: matches
      path: event/EVENT/EventData/LogonType
      re: '^(2|7|10|11)$'

Respond

- action: report
  name: Interactive Logon Outside of Working Hours

Test Event Target(s)
A sample that would fire a detection

{
  "event": {
    "EVENT": {
      "EventData": {
        "AuthenticationPackageName": "Negotiate",
        "ElevatedToken": "%%1842",
        "ImpersonationLevel": "%%1833",
        "IpAddress": "192.168.1.100",
        "IpPort": "3389",
        "KeyLength": "0",
        "LmPackageName": "-",
        "LogonGuid": "{00000000-0000-0000-0000-000000000000}",
        "LogonProcessName": "User32",
        "LogonType": "10",
        "ProcessId": "0x4c0",
        "ProcessName": "C:\\Windows\\System32\\winlogon.exe",
        "RestrictedAdminMode": "-",
        "SubjectDomainName": "DOMAIN",
        "SubjectLogonId": "0x3e7",
        "SubjectUserName": "SERVER-NAME$",
        "SubjectUserSid": "S-1-5-18",
        "TargetDomainName": "DOMAIN",
        "TargetLinkedLogonId": "0x0",
        "TargetLogonId": "0x19f4c",
        "TargetOutboundDomainName": "-",
        "TargetOutboundUserName": "-",
        "TargetUserName": "Administrator",
        "TargetUserSid": "S-1-5-21-0000000000-0000000000-0000000000-500",
        "TransmittedServices": "-",
        "VirtualAccount": "%%1843",
        "WorkstationName": "WORKSTATION-NAME"
      },
      "System": {
        "Channel": "Security",
        "Computer": "server-name.domain.com",
        "Correlation": {
          "ActivityID": "{8f3130a4-6d64-0001-9a15-37e4707edb01}"
        },
        "EventID": "4624",
        "EventRecordID": "532823",
        "Execution": {
          "ProcessID": "660",
          "ThreadID": "5632"
        },
        "Keywords": "0x8020000000000000",
        "Level": "0",
        "Opcode": "0",
        "Provider": {
          "Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
          "Name": "Microsoft-Windows-Security-Auditing"
        },
        "Security": "",
        "Task": "12544",
        "TimeCreated": {
          "SystemTime": "2025-03-07T17:57:50.9031348Z"
        },
        "Version": "2",
        "_event_id": "4624"
      }
    }
  },
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "44a09eb5-e828-4563-9fa0-11503bb8d8b8",
    "event_time": 1741370271894,
    "event_type": "WEL",
    "ext_ip": "203.0.113.10",
    "hostname": "server-name.domain.com",
    "iid": "6e904fad-a376-45fa-a667-4b2454de7b7b",
    "int_ip": "10.0.0.1",
    "latency": 25,
    "moduleid": 2,
    "oid": "df2eb9e5-12b8-454c-b75e-5bc8699eef23",
    "plat": 268435456,
    "sid": "193f72c4-450b-4644-b2f0-79a1558f9eae",
    "tags": [
      "windows"
    ],
    "this": "083318d3955b9ecaed013ff067cb339f"
  },
  "ts": "2025-03-07 17:57:51"
}

A sample that would not

{
  "event": {
    "EVENT": {
      "EventData": {
        "AuthenticationPackageName": "Negotiate",
        "ElevatedToken": "%%1842",
        "ImpersonationLevel": "%%1833",
        "IpAddress": "192.168.1.100",
        "IpPort": "3389",
        "KeyLength": "0",
        "LmPackageName": "-",
        "LogonGuid": "{00000000-0000-0000-0000-000000000000}",
        "LogonProcessName": "User32",
        "LogonType": "10",
        "ProcessId": "0x4c0",
        "ProcessName": "C:\\Windows\\System32\\winlogon.exe",
        "RestrictedAdminMode": "-",
        "SubjectDomainName": "DOMAIN",
        "SubjectLogonId": "0x3e7",
        "SubjectUserName": "SERVER-NAME$",
        "SubjectUserSid": "S-1-5-18",
        "TargetDomainName": "DOMAIN",
        "TargetLinkedLogonId": "0x0",
        "TargetLogonId": "0x19f4c",
        "TargetOutboundDomainName": "-",
        "TargetOutboundUserName": "-",
        "TargetUserName": "Administrator",
        "TargetUserSid": "S-1-5-21-0000000000-0000000000-0000000000-500",
        "TransmittedServices": "-",
        "VirtualAccount": "%%1843",
        "WorkstationName": "WORKSTATION-NAME"
      },
      "System": {
        "Channel": "Security",
        "Computer": "server-name.domain.com",
        "Correlation": {
          "ActivityID": "{8f3130a4-6d64-0001-9a15-37e4707edb01}"
        },
        "EventID": "4624",
        "EventRecordID": "532823",
        "Execution": {
          "ProcessID": "660",
          "ThreadID": "5632"
        },
        "Keywords": "0x8020000000000000",
        "Level": "0",
        "Opcode": "0",
        "Provider": {
          "Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
          "Name": "Microsoft-Windows-Security-Auditing"
        },
        "Security": "",
        "Task": "12544",
        "TimeCreated": {
          "SystemTime": "2025-03-07T16:30:12.9031348Z"
        },
        "Version": "2",
        "_event_id": "4624"
      }
    }
  },
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "44a09eb5-e828-4563-9fa0-11503bb8d8b8",
    "event_time": 1741370271894,
    "event_type": "WEL",
    "ext_ip": "203.0.113.10",
    "hostname": "server-name.domain.com",
    "iid": "6e904fad-a376-45fa-a667-4b2454de7b7b",
    "int_ip": "10.0.0.1",
    "latency": 25,
    "moduleid": 2,
    "oid": "df2eb9e5-12b8-454c-b75e-5bc8699eef23",
    "plat": 268435456,
    "sid": "193f72c4-450b-4644-b2f0-79a1558f9eae",
    "tags": [
      "windows"
    ],
    "this": "083318d3955b9ecaed013ff067cb339f"
  },
  "ts": "2025-03-07 17:57:51"
}
2

A great way to test patterns for a rule like this is with https://regexr.com/

Use the “tests” feature to run your pattern against several times, both inside and outside of your time range to ensure your match works as expected

image
image1233×674 37.3 KB

3

@eric_capuano Hey I am facing an issue regarding this. Firstly no WEL events are shown in timeline even though I have allowed collection. Second is the default time zone UST or is there a way to customise the timezone. Thirdly I did write a similar rule to above, but its not working.

4

WEL events must be configured with Artifact Collection. See the docs here: Ingesting Windows Event Logs

UTC is the time zone that WIndows records event logs, this is how it should be.

You may need to work with your regex pattern until you get the desired result.

1 Like
5

Thank you for the info, i was able to get the outcome that i wanted