Is it possible to create a rule that alerts if a preselected, e.g. 100, instances of an event occur over a set time on a specific server.
For example, if there is an attack on your ADFS server, where 100 accounts get locked out between midnight and 2 am, is it possible to highlight this? Otherwise the account lockouts may go unremarked.
Take it that the event id is already being monitored across all DCs, but obviously an outside attack will lock the accounts out on the external facing servers.
Nathan’s MP is awesome and worth to check. If you just like to stick on the SCOM defaults you can create a new Unit Monitor that should be able to do the job.
Here two screenshots:
Hope it helps. – If not just shout 🙂
I would look through this blog https://nathangau.wordpress.com/ and check out his security MP. There was a coffee break webinar on the MP at one point you should be able to find it pretty easy.