Skip to content

Application credentials sharing

Alert description

Logon on Windows with a user followed by a Logon on an application with another user (on the same IP). This alert should be trigged at the occurrence of an windows login event followed by an application login event but with a different username from the windows login event.

Data sources needed

In order for the alert to be set, the following sources need to be collected in Cyberquest:

  • Windows Security Log with Logon audits enabled in GPO;
  • Application logon audits should be enabled and to contain information about the user and IP.

Alert setup

Go to Settings*, click on Alerts, then Realtime. 1. In the Rule 1 settings fields, Windows Success Logon 4624 events will be identified. Please fill in the fields with the information as shown below: EventID = 4624***

Alt Image

  1. In the Rule 2 settings fields, application success login events will be identified. To do that, set EventID to “application event id number“ AND SrcIP = to Rule No. 1 SrcIP AND UserName ≠ to Rule No. 1 UserName

Alt Image

Alert Object

To export the alert settings, click on Alert Object above.