Home
  •  

Security Monitoring: Repeated RDP Logon Failures

SecurityMonitoringMP.Event.RepeatedLogonMonitor (UnitMonitor)

Element properties:

TargetMicrosoft.Windows.Server.OperatingSystem
Parent MonitorSystem.Health.SecurityState
CategoryCustom
EnabledTrue
Alert GenerateFalse
Alert Auto ResolveTrue
Monitor TypeMicrosoft.Windows.RepeatedEventLogTimer2StateMonitorType
RemotableTrue
AccessibilityPublic
RunAsDefault

Source Code:

<UnitMonitor ID="SecurityMonitoringMP.Event.RepeatedLogonMonitor" Accessibility="Public" Enabled="true" Target="Windows!Microsoft.Windows.Server.OperatingSystem" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.RepeatedEventLogTimer2StateMonitorType" ConfirmDelivery="true">

  <Category>Custom</Category>

  <!--  This monitor is replaced by a rule that generates the alert.  The monitor remains if a recovery is desired.

        <AlertSettings AlertMessage="SecurityMonitoringMP.Event.RepeatedLogonMonitor_AlertMessageResourceID">

          <AlertOnState>Warning</AlertOnState>

          <AutoResolve>false</AutoResolve>

          <AlertPriority>Normal</AlertPriority>

          <AlertSeverity>Error</AlertSeverity>

          <AlertParameters>

            <AlertParameter1>$Data/Context/Context/DataItem/Params/Param[6]$</AlertParameter1>

            <AlertParameter2>$Data/Context/Context/DataItem/Params/Param[14]$</AlertParameter2>

            <AlertParameter3>$Data/Context/Context/DataItem/Params/Param[20]$</AlertParameter3>

          </AlertParameters>

        </AlertSettings> -->

  <OperationalStates>

    <OperationalState ID="NotEnoughEvents" MonitorTypeStateID="TimerEventRaised" HealthState="Success"/>

    <OperationalState ID="TooManyEvents" MonitorTypeStateID="RepeatedEventRaised" HealthState="Warning"/>

  </OperationalStates>

  <Configuration>

    <RepeatedComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</RepeatedComputerName>

    <RepeatedLogName>Security</RepeatedLogName>

    <RepeatedExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="UnsignedInteger">4625</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <Or>

            <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="String">Params/Param[11]</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="String">3</Value>

                </ValueExpression>

              </SimpleExpression>

            </Expression>

            <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="String">Params/Param[11]</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="String">10</Value>

                </ValueExpression>

              </SimpleExpression>

            </Expression>

          </Or>

        </Expression>

      </And>

    </RepeatedExpression>

    <Consolidator>

      <ConsolidationProperties/>

      <TimeControl>

        <WithinTimeSchedule>

          <Interval>180</Interval>

        </WithinTimeSchedule>

      </TimeControl>

      <CountingCondition>

        <Count>5</Count>

        <CountMode>OnNewItemTestOutputRestart_OnTimerSlideByOne</CountMode>

      </CountingCondition>

    </Consolidator>

    <TimerWaitInSeconds>120</TimerWaitInSeconds>

  </Configuration>

</UnitMonitor>