I was just building an rule related to failed logon followed by successful logon for the same i just use an integrated window system by attempting failed logon and then successful logon.
But when i was investigating the events i saw a very strange behaviour of Security analytics. there was some event was in audit failure category but in ec.outcome it was showing successful and in last event.cat.name is "user.activity.successful.logins" as the part of investigation i move to log view and found log is related to failure event, i thought it could be an parser issue.
So, i select other event for the audit failure and found its parsed correctly so its not a parser issue because a incorrect parser cant parsed one event correctly and other one incorrectly.
one failure event is parsed as correctly while other event is showing event type = audit failure but ec.outcome = success
please refer screenshots for the same.
is there anyone who can justify this behaviour of SA or SA is trusty for monitoring?
if i create a report with ec.outcome then this event will come in successful login or if i create a report using event type = audit failure then event will come in failure event.
plz Suggest what should i do to get a proper report from SA, i cant check every event in investigation.