Application credentials sharing
Logon on Windows with a user followed by a Logon on an application with another user (on the same IP). This alert should be trigged at the occurrence of an windows login event followed by an application login event but with a different username from the windows login event.
Data sources needed
In order for the alert to be set, the following sources need to be collected in Cyberquest:
- Windows Security Log with Logon audits enabled in GPO;
- Application logon audits should be enabled and to contain information about the user and IP.
Go to Settings*, click on Alerts, then Realtime. 1. In the Rule 1 settings fields, Windows Success Logon 4624 events will be identified. Please fill in the fields with the information as shown below: EventID = 4624***
- In the Rule 2 settings fields, application success login events will be identified. To do that, set EventID to “application event id number“ AND SrcIP = to Rule No. 1 SrcIP AND UserName ≠ to Rule No. 1 UserName
To export the alert settings, click on Alert Object above.