Home
  •  

Security Monitoring: Failed RDP Logon

SecurityMonitoring.Event.FailedLogin (Rule)

Element properties:

TargetMicrosoft.Windows.Server.OperatingSystem
CategoryCustom
EnabledFalse
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
RemotableTrue
Alert Message
Security Monitoring: Repeated logon attempts

The following has occurred {0} times:

Event Description: {1}

Member Modules:

ID Module Type TypeId RunAs 
FailedLogin DataSource SecurityMonitoring.Event.RepeatedFailedLogind.DS Default
failedlogin WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="SecurityMonitoring.Event.FailedLogin" Enabled="false" Target="Windows!Microsoft.Windows.Server.OperatingSystem" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Custom</Category>

  <DataSources>

    <DataSource ID="FailedLogin" TypeID="SecurityMonitoring.Event.RepeatedFailedLogind.DS">

      <IntervalSeconds>300</IntervalSeconds>

      <Count>5</Count>

      <IPExclusion>DummyValue</IPExclusion>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="failedlogin" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>1</Severity>

      <AlertMessageId>$MPElement[Name="SecurityMonitoring.Event.FailedLogin.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/Count$</AlertParameter1>

        <AlertParameter2>$Data/Context/DataItem/EventDescription$</AlertParameter2>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/Context/DataItem/Params/Param[20]$ </SuppressionValue>

      </Suppression>

      <Custom1>Source IP Address:$Data/Context/DataItem/Params/Param[20]$ </Custom1>

      <Custom2/>

      <Custom3/>

      <Custom4/>

      <Custom5/>

      <Custom6/>

      <Custom7/>

      <Custom8/>

      <Custom9/>

      <Custom10>Security Monitoring Exterior Threats</Custom10>

    </WriteAction>

  </WriteActions>

</Rule>