Windows Event Correlation
LogZilla documentation for Windows Event Correlation
Windows Event Correlation for Administrators
Windows administrators face unique challenges monitoring enterprise environments with thousands of events daily. LogZilla's Windows correlation capabilities combine pre-built triggers for immediate alerts with SEC correlation for complex attack pattern detection.
Prerequisites: Ensure Event Correlation is enabled and forwarder reloading is available as shown in the Event Correlation Overview.
Brute Force Attack Detection
Business Problem
Failed login alerts (Event ID 4625) generate thousands of events daily in enterprise environments. Simple triggers create alert fatigue, while sophisticated attacks go undetected.
Correlation Solution
Detect successful brute force attacks by correlating failed attempts with subsequent successful logins.
LogZilla Forwarder Configuration
Required App: ms_windows app (for MSWin EventID, MSWin Failed Login User, and MSWin Failed Login Source Network user tags)
yaml# /etc/logzilla/forwarder.d/windows-brute-force.yaml
type: sec
sec_name: windows-security
rules:
- match:
- field: mswin_eventid
op: "eq"
value: ["4624", "4625"]
rewrite:
message: "WINDOWS_AUTH $MESSAGE"
SEC Rule: Brute Force Detection
File: /etc/logzilla/sec/windows-security/rules/brute-force.sec
text# Track failed Windows authentication attempts type=SingleWithThreshold ptype=SubStr pattern=WINDOWS_AUTH context=($ENV{EVENT_USER_TAGS_MSWIN_EVENTID} eq "4625") desc=Brute force attack detected against Windows user action=eval %username $ENV{EVENT_USER_TAGS_MSWIN_FAILED_LOGIN_USER}; \ eval %src_ip $ENV{EVENT_USER_TAGS_MSWIN_FAILED_LOGIN_SOURCE_NETWORK}; \ eval %target_host $ENV{EVENT_HOST}; \ create BRUTE_FORCE_ACTIVE_%username_%src_ip 1800; \ shellcmd (logger -t SEC-WINDOWS-SECURITY -p local0.alert \ "BRUTE_FORCE_DETECTED user=\"%username\" src_ip=\"%src_ip\" target=\"%target_host\" attempts=\"$thresh\"") thresh=10 window=300 # Detect successful login after brute force type=Single ptype=RegExp pattern=WINDOWS_AUTH.*MSWin EventID="4624" desc=Successful login after brute force - potential compromise action=eval %target_host $ENV{EVENT_HOST}; \ shellcmd (logger -t SEC-WINDOWS-SECURITY -p local0.crit \ "WINDOWS_COMPROMISE_SUSPECTED target=\"%target_host\""); \ shellcmd (logger -t SEC-ALERT "Windows compromise detected on %target_host")
LogZilla Trigger: Compromise Response
yamlname: "Windows Account Compromise Response"
filter:
- field: program
op: eq
value: SEC-WINDOWS-SECURITY
- field: message
op: "=~"
value: "WINDOWS_COMPROMISE_SUSPECTED"
actions:
exec_script: true
script_path: "/usr/local/bin/windows-compromise-response.sh"
send_email: true
send_email_template: |
Subject: CRITICAL: Windows Account Compromise
User: {{event:ut:username}}
Source IP: {{event:ut:src_ip}}
Target Host: {{event:ut:target}}
Successful login detected after brute force attack.
Account may be compromised - immediate investigation required.
Intelligent Response Script
bash#!/bin/bash
# /usr/local/bin/windows-compromise-response.sh
# Called by SEC shellcmd - receives data via command-line arguments
USERNAME="$1"
SRC_IP="$2"
TARGET_HOST="$3"
# Query Active Directory for account details
ACCOUNT_TYPE=$(ldapsearch -x -h dc.company.com -b "dc=company,dc=com" \
"(sAMAccountName=$USERNAME)" memberOf | grep -c "Domain Admins")
# Check IP reputation
IP_REPUTATION=$(curl -s "https://threat-intel.company.com/ip/$SRC_IP")
if [[ "$ACCOUNT_TYPE" -gt 0 ]]; then
# Domain admin account compromised - immediate lockdown
logger -t SECURITY-RESPONSE "Domain admin compromise: $USERNAME"
# Disable account immediately
net user "$USERNAME" /active:no /domain
# Create critical incident
curl -X POST "https://servicedesk.company.com/api/incidents" \
-d "priority=critical&subject=Domain Admin Compromise&user=$USERNAME"
# Alert CISO immediately
curl -X POST "https://slack.company.com/api/webhooks/ciso-alerts" \
-d "text=CRITICAL: Domain admin $USERNAME compromised from $SRC_IP"
else
# Standard user account
logger -t SECURITY-RESPONSE "User account compromise: $USERNAME"
# Force password reset
net user "$USERNAME" /passwordreq:yes /domain
# Create high-priority ticket
curl -X POST "https://servicedesk.company.com/api/tickets" \
-d "priority=high&subject=Account Compromise&user=$USERNAME"
fi
Privilege Escalation Detection
Attack Pattern
Attackers often add compromised accounts to privileged groups, then clear audit logs to hide evidence.
SEC Rule: Privilege Escalation Campaign
text# Track additions to privileged groups type=Single ptype=SubStr pattern=WINDOWS_AUTH context=($ENV{EVENT_USER_TAGS_MSWIN_EVENTID} eq "4732") desc=User added to privileged group action=eval %target_user $ENV{EVENT_USER_TAGS_EVENT_USER_NAME}; \ eval %admin_host $ENV{EVENT_HOST}; \ create PRIVILEGE_ESCALATION_%target_user_%admin_host 3600; \ shellcmd (logger -t SEC-WINDOWS-AUDIT \ "PRIVILEGE_GRANTED user=\"%target_user\" host=\"%admin_host\"") # Detect audit log clearing after privilege escalation type=Single ptype=SubStr pattern=WINDOWS_AUTH context=($ENV{EVENT_USER_TAGS_MSWIN_EVENTID} eq "1102") && \ (PRIVILEGE_ESCALATION_$ENV{EVENT_USER_TAGS_EVENT_USER_NAME}_$ENV{EVENT_HOST}) desc=Audit log cleared after privilege escalation - attack pattern action=eval %username $ENV{EVENT_USER_TAGS_EVENT_USER_NAME}; \ eval %target_host $ENV{EVENT_HOST}; \ shellcmd (logger -t SEC-WINDOWS-SECURITY -p local0.crit \ "PRIVILEGE_ESCALATION_ATTACK user=\"%username\" host=\"%target_host\"")
Service Flapping Detection
Operational Problem
Critical Windows services that repeatedly crash indicate system instability but generate too many individual alerts to be useful.
SEC Rule: Service Stability Monitoring
text# Detect repeated service failures type=SingleWithThreshold ptype=SubStr pattern=WINDOWS_SERVICE context=($ENV{EVENT_USER_TAGS_MSWIN_EVENTID} eq "7031") desc=Service flapping detected on Windows server action=eval %service_name $ENV{EVENT_USER_TAGS_SERVICE_NAME}; \ eval %server_host $ENV{EVENT_HOST}; \ eval %failure_count $thresh; \ shellcmd (logger -t SEC-WINDOWS-OPERATIONS -p local0.warning \ "SERVICE_FLAPPING service=\"%service_name\" host=\"%server_host\" failures=\"%failure_count\"") thresh=5 window=600
Advanced Windows Correlation Patterns
Malware Persistence Detection
Correlate suspicious process creation with service installation and network connections to detect malware establishing persistence.
text# Track suspicious process creation from user directories type=Single ptype=SubStr pattern=WINDOWS_PROCESS context=($ENV{EVENT_USER_TAGS_MSWIN_EVENTID} eq "4688") && \ ($ENV{EVENT_MESSAGE} =~ /C:\\Users\\.*\\AppData/) desc=Suspicious process from user directory action=eval %process_name $ENV{EVENT_USER_TAGS_PROCESS_NAME}; \ eval %user_host $ENV{EVENT_HOST}; \ create SUSPICIOUS_PROCESS_%process_name_%user_host 1800; \ shellcmd (logger -t SEC-WINDOWS-MALWARE \ "SUSPICIOUS_PROCESS process=\"%process_name\" host=\"%user_host\"") # Correlate with service installation type=Single ptype=SubStr pattern=WINDOWS_SERVICE context=($ENV{EVENT_USER_TAGS_MSWIN_EVENTID} eq "7045") && \ (SUSPICIOUS_PROCESS_$ENV{EVENT_USER_TAGS_SERVICE_NAME}_$ENV{EVENT_HOST}) desc=Malware persistence detected - process to service action=eval %service_name $ENV{EVENT_USER_TAGS_SERVICE_NAME}; \ eval %malware_host $ENV{EVENT_HOST}; \ shellcmd (logger -t SEC-WINDOWS-SECURITY -p local0.crit \ "MALWARE_PERSISTENCE service=\"%service_name\" host=\"%malware_host\"")
PowerShell Attack Chain Detection
Detect PowerShell-based attacks by correlating execution with credential access and network activity.
text# Track PowerShell execution type=Single ptype=SubStr pattern=WINDOWS_POWERSHELL context=($ENV{EVENT_USER_TAGS_MSWIN_EVENTID} eq "4104") desc=PowerShell script execution detected action=eval %ps_user $ENV{EVENT_USER_TAGS_EVENT_USER_NAME}; \ eval %ps_host $ENV{EVENT_HOST}; \ create POWERSHELL_ACTIVE_%ps_user_%ps_host 900; \ if ($ENV{EVENT_MESSAGE} =~ /(Invoke-Mimikatz|Get-Credential|ConvertTo-SecureString)/) { \ shellcmd (logger -t SEC-WINDOWS-SECURITY -p local0.alert \ "POWERSHELL_CREDENTIAL_ACCESS user=\"%ps_user\" host=\"%ps_host\""); \ }