IBM QRadar

Hello everyone,

I would like to take your opinion on something. I came across an incident is "failed log on". A user was trying to log in to the file server. But he/she logged in with a misspelled or bad password to the system. I used some filters and seen the event count is 31. Then I looked at the time column. As you see, I clustered the time column with colored rectangles. I mean, I put events that occurred at the same time to the same cluster. Here my question is coming! Although events occurred at the same time why source ports are different for each event? I really wonder why the source ports are different even if they at the same cluster? Also, how to record login attempts on a domain controller? Can we count as a single event that occurred at the same time? So our event count is 31 or 5? I hope I expressed myself clearly:) I'm eager to receive your feedback.

------------------------------
Deniz Nuran
Tier 1 Analyst
------------------------------

Deniz,

this looks like normal behaviour. Windows will typically create more events than you would expect from a given user action. If you count 5 or 31 events does not really matter as long as all events contributing to your offense are correlated correctly into a single offense which seems to be o.k. If thats not the case ther are multiple ways to enforce that, e.g. by using the right offense indexing. Depending on your windows event number you will either have no source port at all or the same source port or in your case different source ports. Please drill down into each event and look for the payload. Source port is typically derived from Client port: 49423 in your marked example. The other events contain different payload with different ports. Why that is the case? that is Microsofts secret. However if you monitor failed logins coming in from other logsource types this is normal as each new request may ask for a new tcp socket resulting in a new source port. Unlike destination ports, when used, source ports are dynamically assigned by the client os.

BR Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Thu December 17, 2020 07:56 AM
From: Deniz Nuran
Subject: Failed Log on

Hello everyone,

I would like to take your opinion on something. I came across an incident is "failed log on". A user was trying to log in to the file server. But he/she logged in with a misspelled or bad password to the system. I used some filters and seen the event count is 31. Then I looked at the time column. As you see, I clustered the time column with colored rectangles. I mean, I put events that occurred at the same time to the same cluster. Here my question is coming! Although events occurred at the same time why source ports are different for each event? I really wonder why the source ports are different even if they at the same cluster? Also, how to record login attempts on a domain controller? Can we count as a single event that occurred at the same time? So our event count is 31 or 5? I hope I expressed myself clearly:) I'm eager to receive your feedback.

------------------------------
Deniz Nuran
Tier 1 Analyst
------------------------------