I'm trying to configure a correlated alert which fires when we see an increase in windows login failures based on the hour baseline threshold. This is based on Windows nic logs from our domain controllers.
So far I have an alert that fires on a Windows security event 675 with a result code of 0x18. this works ok with no threshold but as soon as I add a threshold (increase of 150% against the hour baseline) it fires all the time. I'm pretty sure these are false positives and that we aren't seeing an increase each time it fires - the logs don't show an increase (in 675 events with 0x18) for that hour.
I have a couple of questions:
1. Has anyone had any success in using the hour baseline threshold without getting false positives all the time? I always have trouble with it.
2. Is security event 675 with result code 0x18 the correct filter to use for failed windows logins (I'm after real user logins not system generated ones).
I've attached an XML export of my rule.
Thanks in advance.