EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlHunting

User Logon Details (Time, Type, Location, Last Password Change)

This query will output a table including recent user logons with context information: - Timestamp - UserName - SID - LogonType - UserIsAdmin (Y/N) - PasswordLastSet - Location

Detection Query

#event_simpleName=UserLogon UserSid=S-1-5-21-*
| in(LogonType, values=["2","10"])
| ipLocation(aip)
| case {UserIsAdmin = "1" | UserIsAdmin := "Yes" ;
UserIsAdmin = "0" | UserIsAdmin := "No" ;
* }
| case {
LogonType = "2" | LogonType := "Interactive" ;
LogonType = "3" | LogonType := "Network" ;
LogonType = "4" | LogonType := "Batch" ;
LogonType = "5" | LogonType := "Service" ;
LogonType = "7" | LogonType := "Unlock" ;
LogonType = "8" | LogonType := "Network Cleartext" ;
LogonType = "9" | LogonType := "New Credentials" ;
LogonType = "10" | LogonType := "Remote Interactive" ;
LogonType = "11" | LogonType := "Cached Interactive" ;
* }
| PasswordLastSet := PasswordLastSet*1000
| LogonTime := LogonTime*1000
| PasswordLastSet := formatTime("%Y-%m-%d %H:%M:%S", field=PasswordLastSet, locale=en_US, timezone=Z)
| LogonTime := formatTime("%Y-%m-%d %H:%M:%S", field=LogonTime, locale=en_US, timezone=Z)
| table(["LogonTime", "aid", "UserName", "UserSid", "LogonType", "UserIsAdmin", "PasswordLastSet", "aip.city", "aip.state", "aip.country"])

Author

CrowdStrike

Data Sources

Endpoint

Platforms

windowslinux

Tags

HuntingMonitoringcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: User Logon Details (Time, Type, Location, Last Password Change)

# Description of what the query does and its purpose.
description: |
  This query will output a table including recent user logons with context information:
  - Timestamp
  - UserName
  - SID
  - LogonType
  - UserIsAdmin (Y/N)
  - PasswordLastSet
  - Location

# The author or team that created the query.
author: CrowdStrike

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Endpoint

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Insight

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Hunting
  - Monitoring

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
 #event_simpleName=UserLogon UserSid=S-1-5-21-*
 | in(LogonType, values=["2","10"])
 | ipLocation(aip)
 | case {UserIsAdmin = "1" | UserIsAdmin := "Yes" ;
 UserIsAdmin = "0" | UserIsAdmin := "No" ;
 * }
 | case {
 LogonType = "2" | LogonType := "Interactive" ;
 LogonType = "3" | LogonType := "Network" ;
 LogonType = "4" | LogonType := "Batch" ;
 LogonType = "5" | LogonType := "Service" ;
 LogonType = "7" | LogonType := "Unlock" ;
 LogonType = "8" | LogonType := "Network Cleartext" ;
 LogonType = "9" | LogonType := "New Credentials" ;
 LogonType = "10" | LogonType := "Remote Interactive" ;
 LogonType = "11" | LogonType := "Cached Interactive" ;
 * }
 | PasswordLastSet := PasswordLastSet*1000
 | LogonTime := LogonTime*1000
 | PasswordLastSet := formatTime("%Y-%m-%d %H:%M:%S", field=PasswordLastSet, locale=en_US, timezone=Z)
 | LogonTime := formatTime("%Y-%m-%d %H:%M:%S", field=LogonTime, locale=en_US, timezone=Z)
 | table(["LogonTime", "aid", "UserName", "UserSid", "LogonType", "UserIsAdmin", "PasswordLastSet", "aip.city", "aip.state", "aip.country"])