Outside Business Hours Logon Detection

Rule Description
This rule detects interactive logons outside of specified “business hours” using a regular expression pattern against the WEL UTC creation time of the event. Be sure to adjust the pattern for the correct range of your expected logon times. The example below looks for logons outside of 9am - 5pm UTC.

Detect

event: WEL
op: and
rules:
  - op: is
    path: event/EVENT/System/EventID
    value: '4624'
  - op: is
    path: event/EVENT/System/Channel
    value: Security
  - op: matches
    path: event/EVENT/System/TimeCreated/SystemTime
    re: 'T(?:0[0-8]|1[89]|2[0-3]|17:[0-5][0-9]):[0-5][0-9]'
  - op: or
    rules:
    - op: matches
      path: event/EVENT/EventData/LogonType
      re: '^(2|7|10|11)$'

Respond

- action: report
  name: Interactive Logon Outside of Working Hours

Test Event Target(s)
A sample that would fire a detection

{
  "event": {
    "EVENT": {
      "EventData": {
        "AuthenticationPackageName": "Negotiate",
        "ElevatedToken": "%%1842",
        "ImpersonationLevel": "%%1833",
        "IpAddress": "192.168.1.100",
        "IpPort": "3389",
        "KeyLength": "0",
        "LmPackageName": "-",
        "LogonGuid": "{00000000-0000-0000-0000-000000000000}",
        "LogonProcessName": "User32",
        "LogonType": "10",
        "ProcessId": "0x4c0",
        "ProcessName": "C:\\Windows\\System32\\winlogon.exe",
        "RestrictedAdminMode": "-",
        "SubjectDomainName": "DOMAIN",
        "SubjectLogonId": "0x3e7",
        "SubjectUserName": "SERVER-NAME$",
        "SubjectUserSid": "S-1-5-18",
        "TargetDomainName": "DOMAIN",
        "TargetLinkedLogonId": "0x0",
        "TargetLogonId": "0x19f4c",
        "TargetOutboundDomainName": "-",
        "TargetOutboundUserName": "-",
        "TargetUserName": "Administrator",
        "TargetUserSid": "S-1-5-21-0000000000-0000000000-0000000000-500",
        "TransmittedServices": "-",
        "VirtualAccount": "%%1843",
        "WorkstationName": "WORKSTATION-NAME"
      },
      "System": {
        "Channel": "Security",
        "Computer": "server-name.domain.com",
        "Correlation": {
          "ActivityID": "{8f3130a4-6d64-0001-9a15-37e4707edb01}"
        },
        "EventID": "4624",
        "EventRecordID": "532823",
        "Execution": {
          "ProcessID": "660",
          "ThreadID": "5632"
        },
        "Keywords": "0x8020000000000000",
        "Level": "0",
        "Opcode": "0",
        "Provider": {
          "Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
          "Name": "Microsoft-Windows-Security-Auditing"
        },
        "Security": "",
        "Task": "12544",
        "TimeCreated": {
          "SystemTime": "2025-03-07T17:57:50.9031348Z"
        },
        "Version": "2",
        "_event_id": "4624"
      }
    }
  },
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "44a09eb5-e828-4563-9fa0-11503bb8d8b8",
    "event_time": 1741370271894,
    "event_type": "WEL",
    "ext_ip": "203.0.113.10",
    "hostname": "server-name.domain.com",
    "iid": "6e904fad-a376-45fa-a667-4b2454de7b7b",
    "int_ip": "10.0.0.1",
    "latency": 25,
    "moduleid": 2,
    "oid": "df2eb9e5-12b8-454c-b75e-5bc8699eef23",
    "plat": 268435456,
    "sid": "193f72c4-450b-4644-b2f0-79a1558f9eae",
    "tags": [
      "windows"
    ],
    "this": "083318d3955b9ecaed013ff067cb339f"
  },
  "ts": "2025-03-07 17:57:51"
}

A sample that would not

{
  "event": {
    "EVENT": {
      "EventData": {
        "AuthenticationPackageName": "Negotiate",
        "ElevatedToken": "%%1842",
        "ImpersonationLevel": "%%1833",
        "IpAddress": "192.168.1.100",
        "IpPort": "3389",
        "KeyLength": "0",
        "LmPackageName": "-",
        "LogonGuid": "{00000000-0000-0000-0000-000000000000}",
        "LogonProcessName": "User32",
        "LogonType": "10",
        "ProcessId": "0x4c0",
        "ProcessName": "C:\\Windows\\System32\\winlogon.exe",
        "RestrictedAdminMode": "-",
        "SubjectDomainName": "DOMAIN",
        "SubjectLogonId": "0x3e7",
        "SubjectUserName": "SERVER-NAME$",
        "SubjectUserSid": "S-1-5-18",
        "TargetDomainName": "DOMAIN",
        "TargetLinkedLogonId": "0x0",
        "TargetLogonId": "0x19f4c",
        "TargetOutboundDomainName": "-",
        "TargetOutboundUserName": "-",
        "TargetUserName": "Administrator",
        "TargetUserSid": "S-1-5-21-0000000000-0000000000-0000000000-500",
        "TransmittedServices": "-",
        "VirtualAccount": "%%1843",
        "WorkstationName": "WORKSTATION-NAME"
      },
      "System": {
        "Channel": "Security",
        "Computer": "server-name.domain.com",
        "Correlation": {
          "ActivityID": "{8f3130a4-6d64-0001-9a15-37e4707edb01}"
        },
        "EventID": "4624",
        "EventRecordID": "532823",
        "Execution": {
          "ProcessID": "660",
          "ThreadID": "5632"
        },
        "Keywords": "0x8020000000000000",
        "Level": "0",
        "Opcode": "0",
        "Provider": {
          "Guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
          "Name": "Microsoft-Windows-Security-Auditing"
        },
        "Security": "",
        "Task": "12544",
        "TimeCreated": {
          "SystemTime": "2025-03-07T16:30:12.9031348Z"
        },
        "Version": "2",
        "_event_id": "4624"
      }
    }
  },
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "44a09eb5-e828-4563-9fa0-11503bb8d8b8",
    "event_time": 1741370271894,
    "event_type": "WEL",
    "ext_ip": "203.0.113.10",
    "hostname": "server-name.domain.com",
    "iid": "6e904fad-a376-45fa-a667-4b2454de7b7b",
    "int_ip": "10.0.0.1",
    "latency": 25,
    "moduleid": 2,
    "oid": "df2eb9e5-12b8-454c-b75e-5bc8699eef23",
    "plat": 268435456,
    "sid": "193f72c4-450b-4644-b2f0-79a1558f9eae",
    "tags": [
      "windows"
    ],
    "this": "083318d3955b9ecaed013ff067cb339f"
  },
  "ts": "2025-03-07 17:57:51"
}

A great way to test patterns for a rule like this is with https://regexr.com/

Use the “tests” feature to run your pattern against several times, both inside and outside of your time range to ensure your match works as expected