1.The purpose of the article
Techbast will guide you to use the Live Discover feature of Sophos Central to create a query to check the number of incorrect logins to Windows servers and workstations within a specified time.
- The internet connection is connected at port 2 of the Sophos Firewall device with IP 10,150.30.106.
- The LAN layer is configured at port 1 of the Sophos XG Firewall device with IP 172.16.16.16/24 and configured with a DHCP Server to allocate IPs to connected devices.
- In the LAN we will have 2 devices one is WIN-V3N9Q4OC2GG server with IP 172.16.16.19/24 and installed Sophos Endpoint.
- The second is a Windows 10 PC named DESKTOP-HP5D580 with IP 172.16.16.17/24 and also has Sophos Endpoint installed.
Make a Query on Sophos Central using the Live Discover feature to check for incorrect login attempts on 2 devices DESKTOP-HP5D580 and server WIN-V3N9Q4OC2GG.
4.What to do
- Create query.
To create a query, go to Threat Analysis Center > Live Discover.
First we will turn on Designer Mode.
Then we click Create new query to create a new query.
The query creation table appears we will enter the following information:
- Query Name: Name this query Login Failed attempts Query For WINDOWS.
- Category: select Device.
- Source: select Live Endpoint and select Windows (Note with this option, the computer or server must have an internet connection to be able to query).
- In the SQL box we enter the code below.
datetime(time,'unixepoch','localtime') as 'Time',
json_extract(data,'$.EventData.TargetUserName') as UserName
WHERE eventid='4625' AND UserName '' AND time > STRFTIME('%H','NOW','24 hours');
We need to pay attention to the last line of the SQL query, in this paragraph, it is set to 24 hours, which means it will query the number of incorrect logins from the time of pressing Run Query back to the previous 24 hours.
You can customize this information to increase the time, but in this article, I will leave it as 24 hours.
- At Device selector we select the computer and server that has installed Sophos Endpoint and click Query.
Wait a few seconds, the query results will show the number of incorrect login attempts on both machines.
This is the number of wrong login attempts on windows 10 machine.
This is the number of failed login attempts on the server.
With the Live Discover feature and this query, it helps us to check the number of false logins on both the server and the workstation, providing full information about when the wrong login occurred. , which user they log in with.
From there, administrators can quickly track and promptly detect security problems such as detecting the server’s password with Brute Force or someone trying to detect the password of a personal computer.