Hello Dusan,
Thank you so much for your reply and suggestions. I truly appreciate it.
I configured the Multiple Login Failure rule with additional reference set (my temporary testing set) as you suggested. I realized the reference set was not related to any rule that is the fault I made. At the writting time, this modification stopped the offenses from generating.
Thank you so much again!
------------------------------
Zhong Zhang
------------------------------
Original Message:
Sent: Thu August 01, 2019 01:02 PM
From: Dusan VIDOVIC
Subject: Fine Tuning with Reference Set
Zhong, it is my opinion that multiple login failures are not always a legitimate occurrence. That said, I agree that the out of the box rule(s) do create to many offenses. Now, what was your approach to enable whitelisting; changing the rule itself or adding the reference to reference sets through false positive rules? Did you analyze the events that contributed to the offense and check the rules/BBs it matched? You can also install the Tuning application from the X-Force Exchange that should help following through the offense "flow".
------------------------------
Dusan VIDOVIC
Original Message:
Sent: Wed July 31, 2019 12:25 PM
From: Zhong Zhang
Subject: Fine Tuning with Reference Set
Hello Community,
I'm relatively new to this QRadar tools.
Since we got a dramatic amount of offenses as Multiple Login Failures, and we knew they are legitimate behaviors based on the company's policy. I was trying to create a temporary whitelist for certain users by using a reference set to eliminate numerous offenses generated by them; however, I'm still getting new offenses with same reason as multiple login failures. Could I possibly get some clarification and assistance regarding the purpose of implementing the reference set and the best practice to create a temporary whitelist?
Thank you,
------------------------------
Zhong Zhang
------------------------------