IBM QRadar

I have a request from another department to monitor when a particular user has logged on and logged off the domain. Sounds simple, right? But when I tell QRadar to show me all login activity related to the user in question, I get hundreds of entries per day of the chosen log monitoring duration. Most are either User Login Success, or Host Logout. But there's multiple entries for the exact same point in time. I checked the following site from IBM: https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_qradar_adm_authentication.html, but it's no help as the description of each event isn't very, well, descriptive.
All I want to know is when a user logged in, and when a user logged out. Does anyone have any experience with this?

Cheers

------------------------------
Brian Brehart
------------------------------

You would like to take a look at "Logon Type", There is a lot of logon type 3 events which represent network connections, this can be that the user simply click on a network share. Windows counts them as login success, however for your use case I assume you want the interactive logins when the user type in the password, or login through remote desktop.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787567(v=ws.10).

I have created a RFE for your convenience around this topic (Logon type), the more votes the higher visibility the RFE will have.
You can vote for it here:
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=129664

Please also feel free to open a RFE for yourself with more details of your use case (other than Logon Type)

Thanks

------------------------------
Eduardo Torreblanca
------------------------------

Original Message:
Sent: 02-04-2019 02:25 PM
From: Brian Brehart
Subject: Using QRadar to monitor Active Directory sessions

I have a request from another department to monitor when a particular user has logged on and logged off the domain. Sounds simple, right? But when I tell QRadar to show me all login activity related to the user in question, I get hundreds of entries per day of the chosen log monitoring duration. Most are either User Login Success, or Host Logout. But there's multiple entries for the exact same point in time. I checked the following site from IBM: https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_qradar_adm_authentication.html, but it's no help as the description of each event isn't very, well, descriptive.
All I want to know is when a user logged in, and when a user logged out. Does anyone have any experience with this?

Cheers

------------------------------
Brian Brehart
------------------------------

Hey Eduardo, thanks for the answer. That makes a lot of sense, I never realized that accessing a network share counted as an successful login event.
I wanted to let you know that the Microsoft docs link you provided works just fine, but when I click on the RFE you provided, I receive the following message:
You cannot access this page because you do not have the proper authority.
Any idea what's causing that?
Brian

------------------------------
BrianBrehart
------------------------------

Original Message:
Sent: 02-04-2019 02:52 PM
From: EDUARDO TORREBLANCA CABRERA
Subject: Using QRadar to monitor Active Directory sessions

You would like to take a look at "Logon Type", There is a lot of logon type 3 events which represent network connections, this can be that the user simply click on a network share. Windows counts them as login success, however for your use case I assume you want the interactive logins when the user type in the password, or login through remote desktop.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787567(v=ws.10).

I have created a RFE for your convenience around this topic (Logon type), the more votes the higher visibility the RFE will have.
You can vote for it here:
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=129664

Please also feel free to open a RFE for yourself with more details of your use case (other than Logon Type)

Thanks

------------------------------
Eduardo Torreblanca

Original Message:
Sent: 02-04-2019 02:25 PM
From: Brian Brehart
Subject: Using QRadar to monitor Active Directory sessions

I have a request from another department to monitor when a particular user has logged on and logged off the domain. Sounds simple, right? But when I tell QRadar to show me all login activity related to the user in question, I get hundreds of entries per day of the chosen log monitoring duration. Most are either User Login Success, or Host Logout. But there's multiple entries for the exact same point in time. I checked the following site from IBM: https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_qradar_adm_authentication.html, but it's no help as the description of each event isn't very, well, descriptive.
All I want to know is when a user logged in, and when a user logged out. Does anyone have any experience with this?

Cheers

------------------------------
Brian Brehart
------------------------------

https://www.ibm.com/developerworks/rfe/

You would need to create an account.

------------------------------
Eduardo Torreblanca
------------------------------

Original Message:
Sent: 02-04-2019 03:01 PM
From: Brian Brehart
Subject: Using QRadar to monitor Active Directory sessions

Hey Eduardo, thanks for the answer. That makes a lot of sense, I never realized that accessing a network share counted as an successful login event.
I wanted to let you know that the Microsoft docs link you provided works just fine, but when I click on the RFE you provided, I receive the following message:
You cannot access this page because you do not have the proper authority.
Any idea what's causing that?
Brian

------------------------------
BrianBrehart

Original Message:
Sent: 02-04-2019 02:52 PM
From: EDUARDO TORREBLANCA CABRERA
Subject: Using QRadar to monitor Active Directory sessions

You would like to take a look at "Logon Type", There is a lot of logon type 3 events which represent network connections, this can be that the user simply click on a network share. Windows counts them as login success, however for your use case I assume you want the interactive logins when the user type in the password, or login through remote desktop.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787567(v=ws.10).

I have created a RFE for your convenience around this topic (Logon type), the more votes the higher visibility the RFE will have.
You can vote for it here:
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=129664

Please also feel free to open a RFE for yourself with more details of your use case (other than Logon Type)

Thanks

------------------------------
Eduardo Torreblanca

Original Message:
Sent: 02-04-2019 02:25 PM
From: Brian Brehart
Subject: Using QRadar to monitor Active Directory sessions

I have a request from another department to monitor when a particular user has logged on and logged off the domain. Sounds simple, right? But when I tell QRadar to show me all login activity related to the user in question, I get hundreds of entries per day of the chosen log monitoring duration. Most are either User Login Success, or Host Logout. But there's multiple entries for the exact same point in time. I checked the following site from IBM: https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_qradar_adm_authentication.html, but it's no help as the description of each event isn't very, well, descriptive.
All I want to know is when a user logged in, and when a user logged out. Does anyone have any experience with this?

Cheers

------------------------------
Brian Brehart
------------------------------

So I figured it out, and it's not QRadar's fault; it's Active Directory's. Turns out it all comes down to a small entry in the Payload that works with the EventID= field: Logon Type. For a local machine, there are several, as listed in this article (and multiple others):  https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787567(v=ws.10). Unfortunately, when a user is logging into Active Directory, regardless of EventID, the Logon Type will always equal 3 (A user or computer logged on to this computer from the network). It makes sense, since, to the Domain Controller, every authentication to Active Directory is a network login. So thanks for the responses, but I'm going to have to tackle this from a different direction.

------------------------------
BrianBrehart
------------------------------

Original Message:
Sent: 02-04-2019 02:25 PM
From: Brian Brehart
Subject: Using QRadar to monitor Active Directory sessions

I have a request from another department to monitor when a particular user has logged on and logged off the domain. Sounds simple, right? But when I tell QRadar to show me all login activity related to the user in question, I get hundreds of entries per day of the chosen log monitoring duration. Most are either User Login Success, or Host Logout. But there's multiple entries for the exact same point in time. I checked the following site from IBM: https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_qradar_adm_authentication.html, but it's no help as the description of each event isn't very, well, descriptive.
All I want to know is when a user logged in, and when a user logged out. Does anyone have any experience with this?

Cheers

------------------------------
Brian Brehart
------------------------------

Correct, this works if you are monitoring also other windows servers, e.g. if the user logins with keyboard or remote desktop to those servers (and you are collecting those other servers logs) you will see other than logon type 3, however as you described if the only nature of the authentication is from workstations, and you don't have the local windows workstation logs, AD will only show you logon type 3.

All depends on the use case. Typically when you monitor a user you would need to focus on his/her activity on the company's servers, unless you have monitoring at the host level.

Please post when/if you find a solution for your use case.

------------------------------
Eduardo Torreblanca
------------------------------

Original Message:
Sent: 02-04-2019 04:51 PM
From: Brian Brehart
Subject: Using QRadar to monitor Active Directory sessions

So I figured it out, and it's not QRadar's fault; it's Active Directory's. Turns out it all comes down to a small entry in the Payload that works with the EventID= field: Logon Type. For a local machine, there are several, as listed in this article (and multiple others):  https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787567(v=ws.10). Unfortunately, when a user is logging into Active Directory, regardless of EventID, the Logon Type will always equal 3 (A user or computer logged on to this computer from the network). It makes sense, since, to the Domain Controller, every authentication to Active Directory is a network login. So thanks for the responses, but I'm going to have to tackle this from a different direction.

------------------------------
BrianBrehart

Original Message:
Sent: 02-04-2019 02:25 PM
From: Brian Brehart
Subject: Using QRadar to monitor Active Directory sessions

I have a request from another department to monitor when a particular user has logged on and logged off the domain. Sounds simple, right? But when I tell QRadar to show me all login activity related to the user in question, I get hundreds of entries per day of the chosen log monitoring duration. Most are either User Login Success, or Host Logout. But there's multiple entries for the exact same point in time. I checked the following site from IBM: https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_qradar_adm_authentication.html, but it's no help as the description of each event isn't very, well, descriptive.
All I want to know is when a user logged in, and when a user logged out. Does anyone have any experience with this?

Cheers

------------------------------
Brian Brehart
------------------------------

Not sure if this helps, but you might want to  be looking for a different logon type. If you are looking for someone sitting down at a computer, typing in a password and logging on, that's a type 2 logon. Done from a terminal session that's a type 10.

Full list can be found here: Windows Security Log Event ID 4624 - An account was successfully logged on

Kind regards

James


------------------------------
James McLaren
Logicalis MSS
------------------------------

Original Message:
Sent: 02-04-2019 05:17 PM
From: EDUARDO TORREBLANCA
Subject: Using QRadar to monitor Active Directory sessions

Correct, this works if you are monitoring also other windows servers, e.g. if the user logins with keyboard or remote desktop to those servers (and you are collecting those other servers logs) you will see other than logon type 3, however as you described if the only nature of the authentication is from workstations, and you don't have the local windows workstation logs, AD will only show you logon type 3.

All depends on the use case. Typically when you monitor a user you would need to focus on his/her activity on the company's servers, unless you have monitoring at the host level.

Please post when/if you find a solution for your use case.

------------------------------
Eduardo Torreblanca

Original Message:
Sent: 02-04-2019 04:51 PM
From: Brian Brehart
Subject: Using QRadar to monitor Active Directory sessions

So I figured it out, and it's not QRadar's fault; it's Active Directory's. Turns out it all comes down to a small entry in the Payload that works with the EventID= field: Logon Type. For a local machine, there are several, as listed in this article (and multiple others):  https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787567(v=ws.10). Unfortunately, when a user is logging into Active Directory, regardless of EventID, the Logon Type will always equal 3 (A user or computer logged on to this computer from the network). It makes sense, since, to the Domain Controller, every authentication to Active Directory is a network login. So thanks for the responses, but I'm going to have to tackle this from a different direction.

------------------------------
BrianBrehart

Original Message:
Sent: 02-04-2019 02:25 PM
From: Brian Brehart
Subject: Using QRadar to monitor Active Directory sessions

I have a request from another department to monitor when a particular user has logged on and logged off the domain. Sounds simple, right? But when I tell QRadar to show me all login activity related to the user in question, I get hundreds of entries per day of the chosen log monitoring duration. Most are either User Login Success, or Host Logout. But there's multiple entries for the exact same point in time. I checked the following site from IBM: https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_qradar_adm_authentication.html, but it's no help as the description of each event isn't very, well, descriptive.
All I want to know is when a user logged in, and when a user logged out. Does anyone have any experience with this?

Cheers

------------------------------
Brian Brehart
------------------------------

Hi Brian,

You could use Event ID 4624 (Success Audit: An account was successfully logged on) and 4634 (Success Audit: An account was logged off) and look at the first login and last login for the day, grouped by user.

If the user logs in and out at the beginning and end of the day, you would be OK. But, if they lock the workstation, then your results won't make sense because there are other logins that come from network shares, for example (logon type 3).

In AQL, would look similar to this (you need to change the time range).



Please note this approach won't work well for users that login before midnight and logout after it. In other words, this example is just a starting point that needs to be improved.

You may want to look have a look at how Windows authentication and logon works and the events it logs.
Chapter 3 Understanding Authentication and Logon



------------------------------
Cheers,
Damian
------------------------------

Original Message:
Sent: 02-05-2019 03:40 AM
From: James McLaren
Subject: Using QRadar to monitor Active Directory sessions

Not sure if this helps, but you might want to  be looking for a different logon type. If you are looking for someone sitting down at a computer, typing in a password and logging on, that's a type 2 logon. Done from a terminal session that's a type 10.

Full list can be found here: Windows Security Log Event ID 4624 - An account was successfully logged on

Kind regards

James


------------------------------
James McLaren
Logicalis MSS

Original Message:
Sent: 02-04-2019 05:17 PM
From: EDUARDO TORREBLANCA
Subject: Using QRadar to monitor Active Directory sessions

Correct, this works if you are monitoring also other windows servers, e.g. if the user logins with keyboard or remote desktop to those servers (and you are collecting those other servers logs) you will see other than logon type 3, however as you described if the only nature of the authentication is from workstations, and you don't have the local windows workstation logs, AD will only show you logon type 3.

All depends on the use case. Typically when you monitor a user you would need to focus on his/her activity on the company's servers, unless you have monitoring at the host level.

Please post when/if you find a solution for your use case.

------------------------------
Eduardo Torreblanca

Original Message:
Sent: 02-04-2019 04:51 PM
From: Brian Brehart
Subject: Using QRadar to monitor Active Directory sessions

So I figured it out, and it's not QRadar's fault; it's Active Directory's. Turns out it all comes down to a small entry in the Payload that works with the EventID= field: Logon Type. For a local machine, there are several, as listed in this article (and multiple others):  https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787567(v=ws.10). Unfortunately, when a user is logging into Active Directory, regardless of EventID, the Logon Type will always equal 3 (A user or computer logged on to this computer from the network). It makes sense, since, to the Domain Controller, every authentication to Active Directory is a network login. So thanks for the responses, but I'm going to have to tackle this from a different direction.

------------------------------
BrianBrehart

Original Message:
Sent: 02-04-2019 02:25 PM
From: Brian Brehart
Subject: Using QRadar to monitor Active Directory sessions

I have a request from another department to monitor when a particular user has logged on and logged off the domain. Sounds simple, right? But when I tell QRadar to show me all login activity related to the user in question, I get hundreds of entries per day of the chosen log monitoring duration. Most are either User Login Success, or Host Logout. But there's multiple entries for the exact same point in time. I checked the following site from IBM: https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_qradar_adm_authentication.html, but it's no help as the description of each event isn't very, well, descriptive.
All I want to know is when a user logged in, and when a user logged out. Does anyone have any experience with this?

Cheers

------------------------------
Brian Brehart
------------------------------