SecurityMonitoring.Event.RepeatedFailedLogind.DS (DataSourceModuleType)

Element properties:

Show References:
- Rules (1)

Type	DataSourceModuleType
Isolation	Any
Accessibility	Public
RunAs	Default
OutputType	System.ConsolidatorData

Member Modules:

ID	Module Type	TypeId	RunAs
Event	DataSource	Microsoft.Windows.EventProvider	Default
CD	ConditionDetection	System.ConsolidatorCondition	Default

Overrideable Parameters:

ID	ParameterType	Selector
IntervalSeconds	int	$Config/IntervalSeconds$
Count	int	$Config/Count$
IPExlusionRegEx	string	$Config/IPExclusion$

Source Code:

<DataSourceModuleType ID="SecurityMonitoring.Event.RepeatedFailedLogind.DS" Accessibility="Public">

  <Configuration>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="1" name="IntervalSeconds" type="xsd:integer"/>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="1" name="Count" type="xsd:integer"/>

    <xsd:element xmlns:xsd="http://www.w3.org/2001/XMLSchema" minOccurs="1" name="IPExclusion" type="xsd:string"/>

  </Configuration>

  <OverrideableParameters>

    <OverrideableParameter ID="IntervalSeconds" ParameterType="int" Selector="$Config/IntervalSeconds$"/>

    <OverrideableParameter ID="Count" ParameterType="int" Selector="$Config/Count$"/>

    <OverrideableParameter ID="IPExlusionRegEx" ParameterType="string" Selector="$Config/IPExclusion$"/>

  </OverrideableParameters>

  <ModuleImplementation>

    <Composite>

      <MemberModules>

        <DataSource ID="Event" TypeID="Windows!Microsoft.Windows.EventProvider">

          <ComputerName/>

          <LogName>Security</LogName>

          <Expression>

            <And>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value Type="UnsignedInteger">4625</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">PublisherName</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value Type="String">Microsoft-Windows-Security-Auditing</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

              <Expression>

                <Or>

                  <Expression>

                    <SimpleExpression>

                      <ValueExpression>

                        <XPathQuery Type="String">Params/Param[11]</XPathQuery>

                      </ValueExpression>

                      <Operator>Equal</Operator>

                      <ValueExpression>

                        <Value Type="String">3</Value>

                      </ValueExpression>

                    </SimpleExpression>

                  </Expression>

                  <Expression>

                    <SimpleExpression>

                      <ValueExpression>

                        <XPathQuery Type="String">Params/Param[11]</XPathQuery>

                      </ValueExpression>

                      <Operator>Equal</Operator>

                      <ValueExpression>

                        <Value Type="String">10</Value>

                      </ValueExpression>

                    </SimpleExpression>

                  </Expression>

                </Or>

              </Expression>

              <Expression>

                <RegExExpression>

                  <ValueExpression>

                    <XPathQuery Type="String">Params/Param[20]</XPathQuery>

                  </ValueExpression>

                  <Operator>DoesNotMatchRegularExpression</Operator>

                  <Pattern>$Config/IPExclusion$</Pattern>

                </RegExExpression>

              </Expression>

            </And>

          </Expression>

        </DataSource>

        <ConditionDetection ID="CD" TypeID="System!System.ConsolidatorCondition">

          <Consolidator>

            <ConsolidationProperties>

              <PropertyXPathQuery>EventDisplayNumber</PropertyXPathQuery>

              <PropertyXPathQuery>PublisherName</PropertyXPathQuery>

              <PropertyXPathQuery>Params/Param[20]</PropertyXPathQuery>

            </ConsolidationProperties>

            <TimeControl>

              <WithinTimeSchedule>

                <Interval>$Config/IntervalSeconds$</Interval>

              </WithinTimeSchedule>

            </TimeControl>

            <CountingCondition>

              <Count>$Config/Count$</Count>

              <CountMode>OnNewItemTestOutputRestart_OnTimerRestart</CountMode>

            </CountingCondition>

          </Consolidator>

        </ConditionDetection>

      </MemberModules>

      <Composition>

        <Node ID="CD">

          <Node ID="Event"/>

        </Node>

      </Composition>

    </Composite>

  </ModuleImplementation>

  <OutputType>System!System.ConsolidatorData</OutputType>

</DataSourceModuleType>