0

Is it possible to create a rule that alerts if a preselected, e.g. 100, instances of an event occur over a set time on a specific server.

For example, if there is an attack on your ADFS server, where 100 accounts get locked out between midnight and 2 am, is it possible to highlight this?  Otherwise the account lockouts may go unremarked.

Take it that the event id is already being monitored across all DCs, but obviously an outside attack will lock the accounts out on the external facing servers.

Ervia selected answer