This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Alert: Failed Logins Outside Business Hours

RenatoGoncalves
Beginner
Beginner

‎2018-02-22 06:45 AM

In the alert Failed Logins Outside Business Hours we have defined the Business hours between 9am and 5pm ( or 9 to 17) but we have notice that some of the alerts are between the defined hours for example:

19/02/2018 17:36:01.000 (3 days ago)

Can someone help in understanding why this is happening?

Thanks

 

 

 

0 Likes
5 REPLIES 5

someone
Contributor
Contributor

‎2018-02-23 07:59 AM

Not sure where this is configured but I would suspect that it requires UTC time. So if your timezone is different, it could be the issue.

0 Likes

RenatoGoncalves
Beginner
Beginner

‎2018-02-23 08:13 AM

Hello Marinos,

 

Thanks for all the help,

 

That could be a thing, but not only it was the first thing we saw, as the portuguese timezone is UTC. 

 

Regards

0 Likes

someone
Contributor
Contributor
In response to RenatoGoncalves

‎2018-02-23 08:59 AM

Fair enough. By the way, the alert you posted is correct. The time is outside of business hours.

 

Is this on ESA or RE? could you post some sanitised info about the rule?

0 Likes

RenatoGoncalves
Beginner
Beginner

‎2018-02-23 09:23 AM

You're right...:D

Silly me....

 

But this one isn't:

19/02/2018 12:00:46.000

It's ESA.

 

This is what we defined for the rule:

This rule is triggered when a user logs into a system after business hours with following conditions:

 

* At least 2 failed logins, described by ec_activity = Logon and ec_outcome=failure
* The failed logins are within a 3600 second (60 minute) timeframe
* The failed logins are outside of business hours: by default, this means after 5 pm and before 9 am the following day in UTC time format
* Device is not in the whitelist (device classes exempt from failed login alert)
* Device is in the blacklist (device classes NOT exempt from failed login alert)

 

This rule suppresses "extra" failed logins. For example, using the default conditions, if within 60 minutes, sometime between 5 pm and 9 am the following day, user xyz tries to log on 5 times and fails each time, this rule triggers an alert only for the first 2 failed logins and will suppress the next 3 events (login failures).

 

CONFIGURATION
Rule Parameters:
* Start of non-working hours time window for generating alerts is configurable. By default, 17 (UTC Format)
* End of non-working hours time window for generating alerts is configurable. By default, 9 (UTC Format)
* Within this number of seconds, allows you to choose the time window to trigger events. By default, 3600 seconds time frame.
* Alerts suppressed events time window is configurable, which allows flexibility to select alert suppression time frame. By default, 3600 seconds time frame.
* Blacklist device class is configurable to trigger alert. By default, 29 device classes listed as blacklist.
* Whitelist device class is configurable to exempt from alert. By default, content management systems device class listed as whitelist.
* Username is configurable, so that you can specify a list of usernames to be excluded from generating alerts. By default, service accounts are listed.

 

DEPENDENCIES
Log Parsers:
* Existence of at least one log parser enabled at log decoder which populates ec_activity = Logon and ec_outcome=failure and user_dst.

 

Captura de ecrã de 2018-02-23 14-16-43.png

 

This is what we have defined to the rule

0 Likes

RenatoGoncalves
Beginner
Beginner

‎2018-02-27 12:28 PM

Anyone has the same issue?

 

Regards

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.