IBM Security QRadar

Hello dear people,

I wanted to ask you if you could help me a bit with the qradar rules because it fires some notifications that are irrelevant to what i wanted qradar to do.
To explain it i will tell you the things that i have implemented and i don't really know why it fires that rule all the time and i get a ton of mails.
The rule is to check if there is an authentication successful login after X failures on my exchange server. in order this rule to work i had to turn on a rule to check of there are X times authentication failures on my exchange server.

The first thing i noticed that a lot failed authentication failures i got from the devices in my local network which is not normal.. Than i checked that if someone has the microsoft outlook applicatoin turned on, the notifications for authentication success after x failed logins happen to be sent on every 10-15 minutes.. The interesting thing is that if you close the outlook application on the particular PC this notifications don't appear any more for the particular user.. I can't understand what does outlook application do in order for qradar to fire that much of notifications.. I think the problem is that the outlook application has some timer to check the connection or to authneticate to the exchange server and it triggers to rule to fire notification.. Also i noticed that this problem occurs if the user is connected to the outlook android application. How can i resolve this issue so that qradar does not send me a notification if the connection comes from an outlook application where the user connection is made with the exchange settings required to be inserted into the outlook application.

Have you had this problem? It really annoying because the my mail is overflooded with notifications from the qradar because of the outlook application..

Thankyou

------------------------------
Slavcho Andreevski
------------------------------

MS Exchange is notorious for logins failing the first, second and sometimes third time before succeeding.  This does trip failed authentication rules.  You can look at which protocol is failing (NTLM, Kerberos, etc) and tune the rule to ignore the failing ones.  It is very likely that different clients are failing different authentication methods.

You should also be processing the IIS logs for those authentication, 401 are fails and 200 are succeed.

------------------------------
Frank Eargle
QRadar Champion
------------------------------

Original Message:
Sent: Mon March 21, 2022 06:59 AM
From: Slavcho Andreevski
Subject: Outlook application on mobile and pc fires notification

Hello dear people,

I wanted to ask you if you could help me a bit with the qradar rules because it fires some notifications that are irrelevant to what i wanted qradar to do.
To explain it i will tell you the things that i have implemented and i don't really know why it fires that rule all the time and i get a ton of mails.
The rule is to check if there is an authentication successful login after X failures on my exchange server. in order this rule to work i had to turn on a rule to check of there are X times authentication failures on my exchange server.

The first thing i noticed that a lot failed authentication failures i got from the devices in my local network which is not normal.. Than i checked that if someone has the microsoft outlook applicatoin turned on, the notifications for authentication success after x failed logins happen to be sent on every 10-15 minutes.. The interesting thing is that if you close the outlook application on the particular PC this notifications don't appear any more for the particular user.. I can't understand what does outlook application do in order for qradar to fire that much of notifications.. I think the problem is that the outlook application has some timer to check the connection or to authneticate to the exchange server and it triggers to rule to fire notification.. Also i noticed that this problem occurs if the user is connected to the outlook android application. How can i resolve this issue so that qradar does not send me a notification if the connection comes from an outlook application where the user connection is made with the exchange settings required to be inserted into the outlook application.

Have you had this problem? It really annoying because the my mail is overflooded with notifications from the qradar because of the outlook application..

Thankyou

------------------------------
Slavcho Andreevski
------------------------------

Thank you for the reply.. I tried to distinguish the protocols that are failing but i came to a deadend.. All the logs have the same package name (NTLM only).. I know that some of the logs are made because of the outlook application and other are made on other way (owa logs on exchange server). This logs should be different.. and there i cant find a way to distinguish them.. How can i do that? Is there a way to do that so i can tune my rules?

------------------------------
Slavcho Andreevski
------------------------------

Original Message:
Sent: Tue March 22, 2022 06:12 AM
From: Frank Eargle
Subject: Outlook application on mobile and pc fires notification

MS Exchange is notorious for logins failing the first, second and sometimes third time before succeeding.  This does trip failed authentication rules.  You can look at which protocol is failing (NTLM, Kerberos, etc) and tune the rule to ignore the failing ones.  It is very likely that different clients are failing different authentication methods.

You should also be processing the IIS logs for those authentication, 401 are fails and 200 are succeed.

------------------------------
Frank Eargle
QRadar Champion

Original Message:
Sent: Mon March 21, 2022 06:59 AM
From: Slavcho Andreevski
Subject: Outlook application on mobile and pc fires notification

Hello dear people,

I wanted to ask you if you could help me a bit with the qradar rules because it fires some notifications that are irrelevant to what i wanted qradar to do.
To explain it i will tell you the things that i have implemented and i don't really know why it fires that rule all the time and i get a ton of mails.
The rule is to check if there is an authentication successful login after X failures on my exchange server. in order this rule to work i had to turn on a rule to check of there are X times authentication failures on my exchange server.

The first thing i noticed that a lot failed authentication failures i got from the devices in my local network which is not normal.. Than i checked that if someone has the microsoft outlook applicatoin turned on, the notifications for authentication success after x failed logins happen to be sent on every 10-15 minutes.. The interesting thing is that if you close the outlook application on the particular PC this notifications don't appear any more for the particular user.. I can't understand what does outlook application do in order for qradar to fire that much of notifications.. I think the problem is that the outlook application has some timer to check the connection or to authneticate to the exchange server and it triggers to rule to fire notification.. Also i noticed that this problem occurs if the user is connected to the outlook android application. How can i resolve this issue so that qradar does not send me a notification if the connection comes from an outlook application where the user connection is made with the exchange settings required to be inserted into the outlook application.

Have you had this problem? It really annoying because the my mail is overflooded with notifications from the qradar because of the outlook application..

Thankyou

------------------------------
Slavcho Andreevski
------------------------------

If all you are getting is NTLM, I would recommend some remedial work on the security of the windows environment.  NTLM should be disabled as it is a huge security risk.  I'm not sure I can give you enough logic to exclude the good and alarm on the bad authentications.  Besides, positive security controls are much better than detection controls.  

https://docs.microsoft.com/en-us/answers/questions/73184/disabling-lm-ntlmv1-and-enable-ntlmv2-for-exchange.html

------------------------------
Frank Eargle
------------------------------

Original Message:
Sent: Wed March 23, 2022 07:03 AM
From: Slavcho Andreevski
Subject: Outlook application on mobile and pc fires notification

Thank you for the reply.. I tried to distinguish the protocols that are failing but i came to a deadend.. All the logs have the same package name (NTLM only).. I know that some of the logs are made because of the outlook application and other are made on other way (owa logs on exchange server). This logs should be different.. and there i cant find a way to distinguish them.. How can i do that? Is there a way to do that so i can tune my rules?

------------------------------
Slavcho Andreevski

Original Message:
Sent: Tue March 22, 2022 06:12 AM
From: Frank Eargle
Subject: Outlook application on mobile and pc fires notification

MS Exchange is notorious for logins failing the first, second and sometimes third time before succeeding.  This does trip failed authentication rules.  You can look at which protocol is failing (NTLM, Kerberos, etc) and tune the rule to ignore the failing ones.  It is very likely that different clients are failing different authentication methods.

You should also be processing the IIS logs for those authentication, 401 are fails and 200 are succeed.

------------------------------
Frank Eargle
QRadar Champion

Original Message:
Sent: Mon March 21, 2022 06:59 AM
From: Slavcho Andreevski
Subject: Outlook application on mobile and pc fires notification

Hello dear people,

I wanted to ask you if you could help me a bit with the qradar rules because it fires some notifications that are irrelevant to what i wanted qradar to do.
To explain it i will tell you the things that i have implemented and i don't really know why it fires that rule all the time and i get a ton of mails.
The rule is to check if there is an authentication successful login after X failures on my exchange server. in order this rule to work i had to turn on a rule to check of there are X times authentication failures on my exchange server.

The first thing i noticed that a lot failed authentication failures i got from the devices in my local network which is not normal.. Than i checked that if someone has the microsoft outlook applicatoin turned on, the notifications for authentication success after x failed logins happen to be sent on every 10-15 minutes.. The interesting thing is that if you close the outlook application on the particular PC this notifications don't appear any more for the particular user.. I can't understand what does outlook application do in order for qradar to fire that much of notifications.. I think the problem is that the outlook application has some timer to check the connection or to authneticate to the exchange server and it triggers to rule to fire notification.. Also i noticed that this problem occurs if the user is connected to the outlook android application. How can i resolve this issue so that qradar does not send me a notification if the connection comes from an outlook application where the user connection is made with the exchange settings required to be inserted into the outlook application.

Have you had this problem? It really annoying because the my mail is overflooded with notifications from the qradar because of the outlook application..

Thankyou

------------------------------
Slavcho Andreevski
------------------------------