Hello Rule: 1002 'Unknown problem somewhere in the system.' represent 45% of the Alerts and
Here are 2 kind of alert that should be passed to 0 or at least correctly classified. Those are 'Failures' and 'Errors' but a I thought it will be handled by 'msauth_rules.xml' Did someone already RE-classified this kind of rules ? If not , I'll probably have to ( mute them at least) ** Alert 1293091695.18221016: - syslog,errors, 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Src IP: (none) User: (none) Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 Security 19699453 Thu: Dec 23 09:08:15 2010 680 Security USERXXX User Success Audit DOMAINCONTROLERNAME Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT Source Workstation: STATIONNAMEXXX Error Code: 0x0 19695682 ** Alert 1293091695.18219733: - syslog,errors, 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Src IP: (none) User: (none) Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 Security 19699449 Thu: Dec 23 09:08:14 2010 673 Security SYSTEM User Success Audit DOMAINCONTROLERNAME Account Logon Service Ticket Request: User Name: [email protected] User Domain: PETERCAM.CORP Service Name: krbtgt Service ID: %{S-1-5-21-1424381949-1679034567-623647154-502} Ticket Options: 0x60810010 Ticket Encryption Type: 0x17 Client Address: 10.10.10.1 Failure Code: - Logon GUID: {d3ba7bf0-795b-27fd-f4a8-d70ed4268f72} Transited Services: - 19695678 Kind regards Js Op de Beeck
