security rules

About this tag
Discussions tagged with security rules on WindowsForum.com focus on configuring and troubleshooting detection rules for suspicious logins and network activity. A recurring theme involves analyzing Windows Event ID 4624 (successful logon) and using tools like QRadar to flag external IPs attempting to access Exchange servers. Users debate whether connections from Microsoft datacenter IPs are legitimate or fraudulent, often cross-referencing fraud scores from services like IPQualityScore. The tag covers practical scenarios for setting up geo-based login rules, interpreting event logs, and distinguishing false positives from genuine threats in enterprise environments.
  1. K

    Fraudulent IP connections to my exchange server? False positive or?

    Hello dear friends. I wanted to ask you about some logs that from my exchange server which i catch with qradar. They are all with qid: 5000830 or eventid:4624 which is a successful login to a server or anything. I use a rule which tells me if someone logs in to the exchange server from an...
Back
Top