Alert: Failed Logins Outside Business Hours
In the alert Failed Logins Outside Business Hours we have defined the Business hours between 9am and 5pm ( or 9 to 17) but we have notice that some of the alerts are between the defined hours for example:
Can someone help in understanding why this is happening?
Fair enough. By the way, the alert you posted is correct. The time is outside of business hours.
Is this on ESA or RE? could you post some sanitised info about the rule?
But this one isn't:
This is what we defined for the rule:
This rule is triggered when a user logs into a system after business hours with following conditions:
* At least 2 failed logins, described by ec_activity = Logon and ec_outcome=failure
* The failed logins are within a 3600 second (60 minute) timeframe
* The failed logins are outside of business hours: by default, this means after 5 pm and before 9 am the following day in UTC time format
* Device is not in the whitelist (device classes exempt from failed login alert)
* Device is in the blacklist (device classes NOT exempt from failed login alert)
This rule suppresses "extra" failed logins. For example, using the default conditions, if within 60 minutes, sometime between 5 pm and 9 am the following day, user xyz tries to log on 5 times and fails each time, this rule triggers an alert only for the first 2 failed logins and will suppress the next 3 events (login failures).
* Start of non-working hours time window for generating alerts is configurable. By default, 17 (UTC Format)
* End of non-working hours time window for generating alerts is configurable. By default, 9 (UTC Format)
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 3600 seconds time frame.
* Alerts suppressed events time window is configurable, which allows flexibility to select alert suppression time frame. By default, 3600 seconds time frame.
* Blacklist device class is configurable to trigger alert. By default, 29 device classes listed as blacklist.
* Whitelist device class is configurable to exempt from alert. By default, content management systems device class listed as whitelist.
* Username is configurable, so that you can specify a list of usernames to be excluded from generating alerts. By default, service accounts are listed.
* Existence of at least one log parser enabled at log decoder which populates ec_activity = Logon and ec_outcome=failure and user_dst.
This is what we have defined to the rule