Guys, I am stumped on this, hopefully someone has a good idea. I am trying to create an event set to monitor failed logins (Event ID 4625). I setup an Event Set, and started getting a bunch of these (BTW, I limited it to 10 times within 30 min).
The problem is that I am getting 4625's for different Logon Types. I really want to focus on figuring out if someone is trying to brute force attack a password, so from this list I found:
1 – Interactive
Console Logons basically.
This logon happens when you’re accessing file shares using SMB for example.
This is used for scheduled tasks.
This is used for services and service accounts that log on to start a service.
This is used whenever a user unlocks their machine.
6– Network Cleartext
This is used when logging on over the network - when the password is sent in clear text (should happen to you!)
7– New Credentials
This is used when you run an application using the RunAs command.
8– Remote Interactive
This is used for the RDP applications like Terminal Services or Remote Assistance.
9– Cached Interactive
This is logged when users log on using cached credentials.
So given this, for starters I want to ignore Type 3 and Type 4... Here is the rub... When you look at the event inside Kaseya, it looks pretty normal:
But when you look at it in an email, it looks like there is a hidden tab in there:
So how in the world do I create an ignore event? I tried playing with different options inside of the Alarm Summary filter using the *Logon Type:*4* as the filter, but didn't bring me back the results I was looking for.. My guess is *4* is too generic.
How do you guys do this?
Thanks in advance!
We have accounts set to lock (require admin to unlock) if there are excessive logon attempts. Kaseya then monitors for the lock (and unlock) event in the log to send an emergency alert to us. That way, if there is a brute force attack, the client is protected by the lock and we are alerted to see if it is a user issue or an attack.
We would use our ticket processing engine to read this at the alert level, but what you're doing is at the Windows Event level. Find the event and copy/paste the text from there. You can't filter event log events using Kaseya alarm or email content!