i realized when someone asked me how to do this that i was totally remiss about posting it.
for the purpose of this exercise, i’m going to walk you through creating an event monitor which will check if a high number (subjective) of bad attempts to logon is detected within a finite period of time. so follow along… it’s much easier in opsmgr than mom 2005 (as i described in this much earlier blog post.)
here are the steps:
- create a monitor / unit monitor
- windows events / repeated event detection
at this point, you have three choices: manual, timer, and windows event reset. choose the one most appropriate for the situation. i chose the timer.
- name it “OH MY GOD! SOMEONE IS TRYING TO HACK ME!” or something else equally shocking! ;)
- target your windows domain controller or whichever group makes sense for you
- i put the rule under the parent monitor of security
- set the event log name to “Security” and move along
- in the following area, i specified these values:
- Event ID Equals 529
- Event Source Equals Security
- Parameter 1 (leave it blank if you don't want to specify anything, otherwise, provide a filter that works for you)
- Parameter 2 Equals “myDomain”
parameter 2 helps cut out some of the chatter from local security context.
- on the repeat settings tab, i specified the following:
- Trigger on count, sliding – compare 20
- Interval – 30 minutes
this is basically stating that if within 30 minutes, i receive the same event 20 times or more, flip this switch.
- for the auto reset timer, i specified 3 minutes. all these values you’ll want to slide around to make it work in your environment.
that’s all there is to it. you can use these sliding window concept to anything else such as chatty script error problems (which kevin will chastise you publicly if you admit to doing this) or repeating indications in a log file of a problem, for instance. have fun with it.