Detection rules › Kusto Query Language

EatonForeseer - Unauthorized Logins

Source: upstream

'Detects Unauthorized Logins into Eaton Foreseer'

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078` Valid Accounts
Persistence	`T1078` Valid Accounts
Privilege Escalation	`T1078` Valid Accounts
Defense Evasion	`T1078` Valid Accounts

Event coverage

Provider	Event ID	Title
Security-Auditing	4624	An account was successfully logged on.
Security-Auditing	4625	An account failed to log on.
Security-Auditing	4634	An account was logged off.
Security-Auditing	4647	User initiated logoff.
Security-Auditing	4648	A logon was attempted using explicit credentials.
Security-Auditing	4675	SIDs were filtered.

Stages and Predicates

Stage 1: `source`

SecurityEvent

Stage 2: `where`

EventID in ["4624", "4625", "4634", "4647", "4648", "4675"]

Stage 3: `where`

AccountType eq "User"

Stage 4: `where`

TargetUserName is_not_null

Stage 5: `where`

ProcessName match "Foreseer"

Stage 6: `where`

not
  TargetUserName in ["janedoe", "johndoe"]

Stage 7: `summarize`

Stage 8: `project`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

Stage	Field	Kind	Excluded values
1	`user`	in	`janedoe`, `johndoe`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AccountType`	eq	`User`
`EventID`	in	`4624` `4625` `4634` `4647` `4648` `4675`
`ProcessName`	match	`Foreseer`

EatonForeseer - Unauthorized Logins

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: where

Stage 4: where

Stage 5: where

Stage 6: where

Stage 7: summarize

Stage 8: project