This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Interpreting Alerts

RenatoGoncalves
Beginner
Beginner

‎2018-02-09 12:34 PM

Hello,

 

I'm using NW 11 and i have mor than 13.000 alert for Multiple Failed Privilege Escalations by Same User alerts.

What kind of alert is this one? How can i investigate it?

 

At the same time i have more than 15.000 alerts for Multiple Account Lockouts From Same or Different Users. I relaize thats about users who failed the autentication in an account. But how can i know if its their personal account, which machine have the tried do login, etc...

Thanks

0 Likes
1 REPLY 1

Anonymous
Not applicable

‎2018-02-09 01:13 PM

Renato, that's a question that's extremely difficult to answer in a forum post. I would suggest talking to the Sales Engineer that covers your account. They can either meet with you to show you how to respond, or direct you to the appropriate training resources (many of them are free!) to explain at a higher level how to deal with alerts of any type.

 

For this specific alert, I can offer that I see that trigger when NetWitness is first installed at a lot of customers. It's usually caused by misconfigured systems or expired passwords in your environment. The alert will contain links back to the individual logs that are categorized as login failures and those event logs will tell you what account(s) are involved and what systems are impacted. Then you can either fix the system (update the password, stop the requests, etc.) or whitelist that account in the rule itself.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.