how do you generate an alert for 3 consecutive windows failed logon events?

You can count the number of events in a time span. To get an alarm for 3 or more events in a rolling 30 minutes window:

{HOST:eventlog[Security,,,,4625,,skip].count(30m,"4625",regexp)}>=3

CLICK HERE to find out more related problems solutions.

Leave a Comment

Your email address will not be published.

Scroll to Top