Forum Discussion
Cole_McDonald
10 months agoProfessor
We use these all the time. Using $events.count as the return value:
Get-WinEvent `
-ErrorAction Stop `
-FilterHashtable @{
LogName = $eventLog
ID = $eventID
StartTime = (get-date).AddMinutes(-1*$timeSpan)
}
(note the use of backticks for line continuation)
At the top of the script is this:
$eventLog = 'Security'
$eventID = 4625
$timeSpan = 5
This allows easy cloning and quick set of the data being pulled… then you can set normal thresholds and heads/tails (consecutive polls to raise/lower the alert).
Related Content
- 2 years agoAnonymous
- 3 months ago
- 2 months ago