Increased failed windows logins - hour baseline issues
I'm trying to configure a correlated alert which fires when we see an increase in windows login failures based on the hour baseline threshold. This is based on Windows nic logs from our domain controllers.
So far I have an alert that fires on a Windows security event 675 with a result code of 0x18. this works ok with no threshold but as soon as I add a threshold (increase of 150% against the hour baseline) it fires all the time. I'm pretty sure these are false positives and that we aren't seeing an increase each time it fires - the logs don't show an increase (in 675 events with 0x18) for that hour.
I have a couple of questions:
1. Has anyone had any success in using the hour baseline threshold without getting false positives all the time? I always have trouble with it.
2. Is security event 675 with result code 0x18 the correct filter to use for failed windows logins (I'm after real user logins not system generated ones).
I've attached an XML export of my rule.
Thanks in advance.
From enVision online help the hour baseline threshold is defined as the nuimber of number of events for the current hour compared to the number of events for the same hour of the day in the previous week. That means your correlation rule will generate a lot of false positives until it builds the baseline values.
Many Windows Security events denote a user failed login, you might also want to consider 529-537 and 539 messages.
My opinion...baselining in Envision leaves a lot to be desired. I would just take your alert and set a threshold on a certain number of events over a certain time rather than using the baseline.
Do you want to look at these login failures on a per user basis...if so you can multi-thread the rule to get X number of logins from Y user over Z time. Then you will get an alert when you think that the number of failures is high and that someone might be trying to get access to that account.