• State Suggested Answer
  • Replies 16 replies
  • Answers 2 answers
  • Subscribers 14 subscribers
  • Views 10492 views
  • Users 0 members are here
Options
Related

False Positive Alerts

benybb
over 3 years ago

Hello!

I installed for the first time Intrust agent on Terminal Servers.

I just can't find the reason why but :

I am receiving 2 specifics alerts from all my terminal servers (hundred of times per day).

The Alerts have been causing by the server computer name itself!

Here are the alerts : 

First to come is :

InTrust Major alert - Multiple failed logons by the same user.

There were 5 failed logons by user domain.com\MSTS-TAL1 from workstation MSTS-TAL1.

Alert was generated on computer msts-tal1.domain.com.

The Second Alerts is :

InTrust Major alert - Multiple failed logons from the same workstation.

There were 5 failed logons from workstation MSTS-TAL1.

Alert was generated on computer msts-tal1.domain.com

I just can't find what process or service causing that.

It's Happening every 10 minutes or so in every single Terminal Server.

What's best to do?

Is there a way to filter out the "computer":     "domain.com\SERVERNAME"      from this alert ?

IS IT a known false alert for terminal SERVERS that you know about maybe ?

Thanks inADvance ...

100

Parents
  • 0 over 3 years ago

    Hi benybb,

    Let's try the following change. Open the rule properties, go to the Matching tab, click Advanced, click Find on the toolbar (binoculars icon), type "EventID = 4625", and find the last occurrence of this string in the rule text. Now type the additional condition right after: change "EventID = 4625" to "EventID = 4625 and not striequ(String6, String14)". If you see "Z." before EventID, just ignore this fact, because "EventID = 4625" and "Z.EventID = 4625" mean the same in this context. Click OK, and then commit your changes. Do the same with the second rule. This additional condition should filter out all the events where user name and workstation name are the same.

  • 0 over 3 years ago in reply to Igor.Ilyin

    Thank you for the response.. 

    After the change, i suddenly don't get emails from those rules like before (FROM TERMINAL SERVER).

    I tried to RDP one Terminal Server and logged in purpose with a wrong passwords more than 10 TImes..

    The user has been locked out but No alerts at all...

    Without the alerts I don't know who failed login multiples times(and where) who has been locked out.

    Here is the rules after the changes - maybe i've made a mistake

    MULTIPLE FAILED LOGON BY SAME USER :

    and set_alert_field("_UsrName", String1, true)
    and set_alert_field("_UsrDomain", String2, true)
    and set_alert_field("_WorkStation", String6, true)
    )
    or
    (
    count(select_filtered(
    Z.EventID = 4625 and not striequ(String6, String14) and ( striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc0000064") or
    striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc000006a") ),
    striequ( Z.String6, String6 ) and striequ( Z.String7, String7 ),
    <parameter name="Time period"></parameter> ))
    &gt;= <parameter name="Threshold"></parameter>

    and empty(select_matches(
    striequ( Z[0].String6, String6 ) and striequ( Z[0].String7, String7 ),
    <parameter name="Time period"></parameter>
    ))

    and set_alert_field("_UsrName", String6, true)
    and set_alert_field("_UsrDomain", String7, true)
    and set_alert_field("_WorkStation", String14, true)
    );

    </body>
    </rule>

    MULTIPLE FAILED LOGON BY SAME WORKSTAITON : 

    EventID = 4625;

    </prefilter>
    <body>

    count(select_filtered(
    EventID = 4625 and not striequ(String6, String14)
    and not in(String14, "wi", array(<parameter name="Excluded_Workstations"/>))
    and ( striequ(String8, "0xc000006d") and striequ(String10, "0xc0000064") or
    striequ(String8, "0xc000006d") and striequ(String10, "0xc000006a") ),
    striequ( Z.String14, String14 ),
    <parameter name="Time period"/>))
    &gt;= <parameter name="Threshold"/>

    and empty(select_matches(striequ( Z[0].String14, String14 ),
    <parameter name="Time period"></parameter>
    ))

    THANKS IN ADVANCE

Reply
  • 0 over 3 years ago in reply to Igor.Ilyin

    Thank you for the response.. 

    After the change, i suddenly don't get emails from those rules like before (FROM TERMINAL SERVER).

    I tried to RDP one Terminal Server and logged in purpose with a wrong passwords more than 10 TImes..

    The user has been locked out but No alerts at all...

    Without the alerts I don't know who failed login multiples times(and where) who has been locked out.

    Here is the rules after the changes - maybe i've made a mistake

    MULTIPLE FAILED LOGON BY SAME USER :

    and set_alert_field("_UsrName", String1, true)
    and set_alert_field("_UsrDomain", String2, true)
    and set_alert_field("_WorkStation", String6, true)
    )
    or
    (
    count(select_filtered(
    Z.EventID = 4625 and not striequ(String6, String14) and ( striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc0000064") or
    striequ(Z.String8, "0xc000006d") and striequ(Z.String10, "0xc000006a") ),
    striequ( Z.String6, String6 ) and striequ( Z.String7, String7 ),
    <parameter name="Time period"></parameter> ))
    &gt;= <parameter name="Threshold"></parameter>

    and empty(select_matches(
    striequ( Z[0].String6, String6 ) and striequ( Z[0].String7, String7 ),
    <parameter name="Time period"></parameter>
    ))

    and set_alert_field("_UsrName", String6, true)
    and set_alert_field("_UsrDomain", String7, true)
    and set_alert_field("_WorkStation", String14, true)
    );

    </body>
    </rule>

    MULTIPLE FAILED LOGON BY SAME WORKSTAITON : 

    EventID = 4625;

    </prefilter>
    <body>

    count(select_filtered(
    EventID = 4625 and not striequ(String6, String14)
    and not in(String14, "wi", array(<parameter name="Excluded_Workstations"/>))
    and ( striequ(String8, "0xc000006d") and striequ(String10, "0xc0000064") or
    striequ(String8, "0xc000006d") and striequ(String10, "0xc000006a") ),
    striequ( Z.String14, String14 ),
    <parameter name="Time period"/>))
    &gt;= <parameter name="Threshold"/>

    and empty(select_matches(striequ( Z[0].String14, String14 ),
    <parameter name="Time period"></parameter>
    ))

    THANKS IN ADVANCE

Children
No Data