Security server log review

Question

We have a Kiwi Syslog server for Centralized logging purposes.
Currently, our focus is only on monitoring, reviewing and reporting User Account/Password Violations.

We already used the necessary filters based on the event ID in this link - https://support.microsoft.com/en-us/kb/977519.

Now, our question is though we're already receiving the alerts. How do we identify alerts like Windows Event ID 4625 - "An account failed to log on" is related to a security attack/breach, or if they're just false alerts?

I'm not sure what you mean by "valid VS false alerts". How do you define valid alerts.? — user2339071, Jul 02 '15 at 15:14
@user2339071 the OP is asking how to identify "false positives" — schroeder, Jul 02 '15 at 16:25
This is a very broad question. It will be very difficult for us to answer for your environment. — schroeder, Jul 02 '15 at 16:30
I have the same question (valid vs false). How do you define a valid alert? If someone mistypes their password, is that a valid alert? — Ron Trunk, Jul 02 '15 at 17:35

score 0 · Answer 1 · answered Jul 02 '15 at 23:49

If you really need to distinguish between real security incidents and false positives, you can build a solution implementing Bayes classifier algorithms and properly train it. Such classifier should parse as much input data as possible, and "score" certain events, behaviors etc. to positive and negative points. Eg.:

first password authentication error in given time range -> +20
another password authentication error in the same time range -> +20
password authentication error for different user -> +40
successful password authentication in 2 minutes from the first failed attempt -> -50
successful password authentication for different user -> +35

Then you can define thresholds, eg. over 70 points will result in email alert etc.

Security server log review

1 Answers1