Hi Dan,
The False positives are as follows,
Rule 18138: The Account Name is one of our Associate account, and alert got triggered for this.
----------------------------------------------------------------------------------------------------------------------------------
** Alert 1504511181.106613271: mail - windows,win_authentication_failed,
2017 Sep 04 07:46:21 (------RDP INFO -------------)->WinEvtLog
Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.'
User: (no user)
2017 Sep 04 07:46:26 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-C49P2039Q3K: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Pinaj Account Domain: Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: Rdesktop Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
And if we look into same alert for the Account Name is Sklad which is not our user and it is a genuine alert; attack from outside
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
** Alert 1504511181.106614388: mail - windows,win_authentication_failed,
2017 Sep 04 07:46:21 (-------RDP INFO------>WinEvtLog
Rule: 18138 (level 7) -> 'Logon Failure - Account locked out.'
User: (no user)
2017 Sep 04 07:46:27 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-C49P2039Q3K: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Sklad Account Domain: Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Similarly we get alerts for rule 18152 and the Account Name: varies from ADMINISTRATOR to TEST1 so on.. in this case we want only the genuine alerts and want to reduce noise by not alerting for our users. Is there any other way or we need to modify any rules?
And even our users have not Failed Authenticating to RDPs we do get alerts like Account locked, Authentication failure so on.
Can you help us on this.