-
Notifications
You must be signed in to change notification settings - Fork 201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple failed logins correlation issue - Windows Rule 18151 #355
Comments
Hi @RHProficio, On Windows, at the time you have to log in to an account there is no user field yet, this means that our Best regards, |
Hi Eva, |
Hi, |
Hello @RHProficio, |
@Lopuiz @RHProficio seeing the same issue, and wondering what the resolution was? |
Hello @shortstack, This may be due to the decoder. Could you give me more information about the Windows event to replicate your case? Regards, Eva |
We are wondering if there is a bug in Windows rule 18151.
<if_matched_sid>18108</if_matched_sid>
<same_user />
Windows: Multiple failed attempts to perform a privileged operation by the same user.
pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_11.4,gdpr_IV_35.7.d,gdpr_IV_32.2,
The rule seems to correlate on this field
t data.dstuser | | (no user)
We wonder if it should correlate on this field
data.account_name
In our example alert for a given agent/user, system1. The alert fields are parsed for this agent including the full log. There is one field called previous_output that appears to contain log information for a different agent/user, system2. The hostnames and data.account_name are different. So we are wondering why this previous_output data is related to the overall alert for system1. The only related field we see is data.dstuser which is (no user) in both cases, but otherwise the log data seems unrelated.
Please contact me through Slack and I can provide the entire alert detailed information.
Thanks!
The text was updated successfully, but these errors were encountered: