Forum Discussion

Eric_Egolf's avatar
5 years ago

Monitoring Logoff/Logon Events for Anomalies

Background - We have a fairly large citrix environment(70 customers, 1200 users). Each customer has 1 or more xenapp servers depending on how many users. The environment is setup in a manner that o...
  • Cole_McDonald's avatar
    5 years ago

    Sure... I'm using this as a datasource targeting isWindows() called "Active Directory Failed Login Count"

    try {
        $events = Get-WinEvent                  `
            -ComputerName    ##system.sysname## `
            -ErrorAction     SilentlyContinue   `
            -FilterHashtable @{
                LogName   = "Security"
                Id        = 4625
                StartTime = (get-date).AddMinutes(-5)
            }                                  `
            | where Message -Match "0xC000006D"
    } catch {
            $events = @()
    }
    
    "$($events.count)"

    No warranty for the code, use at your own risk.  Please note the use of backtick line continuation for readbility.