Hello dear people,
I wanted to ask you if you could help me a bit with the qradar rules because it fires some notifications that are irrelevant to what i wanted qradar to do.
To explain it i will tell you the things that i have implemented and i don't really know why it fires that rule all the time and i get a ton of mails.
The rule is to check if there is an authentication successful login after X failures on my exchange server. in order this rule to work i had to turn on a rule to check of there are X times authentication failures on my exchange server.
The first thing i noticed that a lot failed authentication failures i got from the devices in my local network which is not normal.. Than i checked that if someone has the microsoft outlook applicatoin turned on, the notifications for authentication success after x failed logins happen to be sent on every 10-15 minutes.. The interesting thing is that if you close the outlook application on the particular PC this notifications don't appear any more for the particular user.. I can't understand what does outlook application do in order for qradar to fire that much of notifications.. I think the problem is that the outlook application has some timer to check the connection or to authneticate to the exchange server and it triggers to rule to fire notification.. Also i noticed that this problem occurs if the user is connected to the outlook android application. How can i resolve this issue so that qradar does not send me a notification if the connection comes from an outlook application where the user connection is made with the exchange settings required to be inserted into the outlook application.
Have you had this problem? It really annoying because the my mail is overflooded with notifications from the qradar because of the outlook application..
Thankyou
------------------------------
Slavcho Andreevski
------------------------------