• State Suggested Answer
  • Replies 16 replies
  • Answers 2 answers
  • Subscribers 14 subscribers
  • Views 10471 views
  • Users 0 members are here
Options
Related

False Positive Alerts

benybb
over 3 years ago

Hello!

I installed for the first time Intrust agent on Terminal Servers.

I just can't find the reason why but :

I am receiving 2 specifics alerts from all my terminal servers (hundred of times per day).

The Alerts have been causing by the server computer name itself!

Here are the alerts : 

First to come is :

InTrust Major alert - Multiple failed logons by the same user.

There were 5 failed logons by user domain.com\MSTS-TAL1 from workstation MSTS-TAL1.

Alert was generated on computer msts-tal1.domain.com.

The Second Alerts is :

InTrust Major alert - Multiple failed logons from the same workstation.

There were 5 failed logons from workstation MSTS-TAL1.

Alert was generated on computer msts-tal1.domain.com

I just can't find what process or service causing that.

It's Happening every 10 minutes or so in every single Terminal Server.

What's best to do?

Is there a way to filter out the "computer":     "domain.com\SERVERNAME"      from this alert ?

IS IT a known false alert for terminal SERVERS that you know about maybe ?

Thanks inADvance ...

100

  • 0 over 3 years ago

    Hi benybb,

    Let's try the following change. Open the rule properties, go to the Matching tab, click Advanced, click Find on the toolbar (binoculars icon), type "EventID = 4625", and find the last occurrence of this string in the rule text. Now type the additional condition right after: change "EventID = 4625" to "EventID = 4625 and not striequ(String6, String14)". If you see "Z." before EventID, just ignore this fact, because "EventID = 4625" and "Z.EventID = 4625" mean the same in this context. Click OK, and then commit your changes. Do the same with the second rule. This additional condition should filter out all the events where user name and workstation name are the same.

  • 0 over 3 years ago in reply to Igor.Ilyin

    Thank you for the response.. 

    After the change, i suddenly don't get emails from those rules like before (FROM TERMINAL SERVER).

    I tried to RDP one Terminal Server and logged in purpose with a wrong passwords more than 10 TImes..

    The user has been locked out but No alerts at all...

    Without the alerts I don't know who failed login multiples times(and where) who has been locked out.

    Here is the rules after the changes - maybe i've made a mistake

    MULTIPLE FAILED LOGON BY SAME USER :

    and set_alert_field("_UsrName", String1, true)
    and set_alert_field("_UsrDomain", String2, true)
    and set_alert_field("_WorkStation", String6, true)
    )
    or
    (
    count(select_filtered(
    Z.EventID = 4625 and not striequ(String6, String14) and ( striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc0000064") or
    striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc000006a") ),
    striequ( Z.String6, String6 ) and striequ( Z.String7, String7 ),
    <parameter name="Time period"></parameter> ))
    &gt;= <parameter name="Threshold"></parameter>

    and empty(select_matches(
    striequ( Z[0].String6, String6 ) and striequ( Z[0].String7, String7 ),
    <parameter name="Time period"></parameter>
    ))

    and set_alert_field("_UsrName", String6, true)
    and set_alert_field("_UsrDomain", String7, true)
    and set_alert_field("_WorkStation", String14, true)
    );

    </body>
    </rule>

    MULTIPLE FAILED LOGON BY SAME WORKSTAITON : 

    EventID = 4625;

    </prefilter>
    <body>

    count(select_filtered(
    EventID = 4625 and not striequ(String6, String14)
    and not in(String14, "wi", array(<parameter name="Excluded_Workstations"/>))
    and ( striequ(String8, "0xc000006d") and striequ(String10, "0xc0000064") or
    striequ(String8, "0xc000006d") and striequ(String10, "0xc000006a") ),
    striequ( Z.String14, String14 ),
    <parameter name="Time period"/>))
    &gt;= <parameter name="Threshold"/>

    and empty(select_matches(striequ( Z[0].String14, String14 ),
    <parameter name="Time period"></parameter>
    ))

    THANKS IN ADVANCE

  • 0 over 3 years ago in reply to Igor.Ilyin

    UPDATE :

    Some Terminal servers still send me : (Multiple failed logons from the same workstation)

    but not :

    Who's the user that tried and failed (Multiple failed logons by the same user)

    Probably the "Multiple Failed" is still from the Server Itself.....

    Thanks in advance

  • 0 over 3 years ago in reply to benybb

    Hi benybb,

    The changes look OK. I am a bit confused with the current state. Why you're saying you don't get emails suddenly, after we worked on removing exceeding unnecessary emails? Or do you mean something new? Regarding RDP I can say that not all processes result in 4625 events, and I think RDP is one of them. Please make sure there are 4625 events on the target system. If there are none, the rule cannot trigger. In that case consider also 4771 Kerberos authentication events on the DC and the corresponding InTrust rules.

  • 0 over 3 years ago in reply to Igor.Ilyin

    Hi igor,

    About the Rule : "Multiple failed logons by the same user"  :

    You were right (like always BlushRoflBlush)

    No 4625 or 4771 events on my terminal servers..

    Only when i logon by console (locally) to the terminal server ,  it create 4625 Event...

    RDP does not create 4625 ?

     I Tried those with no success :

    Computer Configuration/Policies/WindowsSettings/Security Settings/Advanced Audit Policy Configuration/AuditPolicies/Audit Credential Validation set to Failures. And monitor Event ID 4776.

    No 4776 appears ....

    Which id can be for RDP LOGIN ? 

     

    *******

    About the rule : "Multiple failed logons from the same workstation" - It finally stopped to send me alert when the user is the computer name. Bless you.

    Can i did the same (and how) on this rule also ?? : 

    Change Password Attempt on Administrative Account.:::::

    There was administrative account password change attempt by DOMAIN\WYL313-54-216$ user. Target account: WYL313-54-216\admin.

     Alert was generated on computer WYL313-54-216.DOMAIN.COM.

     

    Thanks in ADvance

  • 0 over 3 years ago in reply to benybb

    UPDATE ABout the rule: "Multiple failed logons by the same user"

    It seems to fit only LOCAL CONSOLE LOGIN FAILED and not RDP LOGON FAILED.

    After a few hours on that one - I realize some things ..

    1. event id 4771 exist on DC for alll failed RDP login that happend on TERMINAL SERVER . but...

    2. I saw a RULE named - Multiple pre-authentication failures - that should send me alerts on 4771 - but it doesn't even seems to get those events..

    3. Also EVENTS 4740 for rule "user account lock" are also on dc - but also them don't work well - i get all the alerts exactely 3 hours later..

    Maybe something wrong with the agent on the dc ?? i really don't know....

     About the rule : "Multiple failed logons from the same workstation"

    Still getting hundred of alerts for  DOMAIN\COMPUTERNAME$ 

    Hope for help

    Thanks in advance for all !

  • 0 over 3 years ago in reply to benybb

    The rules should work well once they reach the agent. Try to find them in the CFG folder like you did in one of the previous threads.

  • 0 over 3 years ago in reply to benybb

    Regarding the rule "Multiple pre-authentication failures", most of our predefined rules still contain conditions for Win XP machines, it's OK to get rid of them and simplify a bit, here is the simplified rule text which you can substitute in Advanced rule editor:

    <prefilter>
    EventID = 4771;
    </prefilter>
    <body>

    count( select( Z.EventID = 4771,
    <parameter name="Time period"></parameter> ) )
    &gt;=
    <parameter name="Threshold"></parameter>

    and set_alert_field("UserIP", String7, true);

    </body>

  • 0 over 3 years ago in reply to benybb

    Regarding "Still getting hundred of alerts for  DOMAIN\COMPUTERNAME$", let's make another change as we did above, "EventID = 4625 and not striequ(String6, String14) and not( in( String6, "bi", ".*\\$" ))". I believe this is only Terminal Server specifics.

  • 0 over 3 years ago in reply to benybb

    Regarding "I get all the alerts exactly 3 hours later" - this is the most interesting problem to me, which might mean you have overloaded your InTrust configuration. Could you please tell something about the number of agents in your lab and the number of rules sent to each?