ProfessorProfessor6 minutes ago, Cole McDonald said:I've implemented this in the past as a dataSource for tracking number of failed connection attempts against a server over a 5 minute period. Powershell that grabs the last 5 minutes of 4625 from the windows security log where the message contains the status for bad username or bad password. It just returns a count rather than individual events. This let me drive a NOC widget of devices to show brute force intrusion attempts.
This could potentially be added like a cluster alert using the existing eventSource though and help to combine individual events into a single actionable alert to reduce noise.
This is a super old thread, but I just came across it.... so I'll add my $.02
Yes, for Windows events you can do this -- we do as well. You lose the event detail, but it can alert only if N events in a window are seen (something customers ask for often). Even then, since the "collect every" value is not visible to the script, you have to take special care to ensure your event scan window and the collect every value are in sync. And this does nothing for any other type of event -- we have to use Sumo Logic (or other similar tools, like Graylog, etc.) to solve this problem in general.
