Jump to content
TechnicalHero

Monitor Failed Logon attempts

Recommended Posts

Hi All,

I'd like to monitor failed login attempts. I'd like to know if someone is trying a brute force at either a workstation or server. I already have an account lockout policy, but that is only triggered if an attacker is using a good username.

I created a remote monitor to look for Event ID 4625 after turning on logon auditing on via GPO, but I get a million tickets. I really only want a Automate ticket after ten failures in say 5 mins. Has anyone got any better, super flash ideas on how I can do this?

Kind regards

Share this post


Link to post
Share on other sites

I highly recommend Third-Wall.  They are a third party add-in to ConnectWise Automate (maybe others).  They are very reasonably priced and can even isolate a system for failed login attempts.  We've been using them for about 6 months and are very happy with it.

Share this post


Link to post
Share on other sites

Perhaps a remote powershell monitor using get-winevent you will be able to filter down to what you want and only look back xx number of hours or minutes for the event. For example you could play with this to suit your needs. 

"%windir%\system32\WindowsPowerShell\v1.0\powershell.exe" -command "& {$evtFilter=@{'StartTime'=$([datetime](Get-Date).AddHours(-24)); LogName='Application'; ID=(1511);}; (Get-WinEvent -FilterHashTable $evtFilter -MaxEvents 1 -EA 0 | Select-object -Property * | out-string).Trim()}"

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×