Alert when a large number of an event occurs on a specifi server within a certain timeframe

Is it possible to create a rule that alerts if a preselected, e.g. 100, instances of an event occur over a set time on a specific server.

For example, if there is an attack on your ADFS server, where 100 accounts get locked out between midnight and 2 am, is it possible to highlight this? Otherwise the account lockouts may go unremarked.

Take it that the event id is already being monitored across all DCs, but obviously an outside attack will lock the accounts out on the external facing servers.

I would look through this blog https://nathangau.wordpress.com/ and check out his security MP. There was a coffee break webinar on the MP at one point you should be able to find it pretty easy.

Hi,

Nathan’s MP is awesome and worth to check. If you just like to stick on the SCOM defaults you can create a new Unit Monitor that should be able to do the job.

Here two screenshots:

Hope it helps. - If not just shout :slight_smile:

That’s great Rick, thanks. I would look at this as a long term solution, as to implement it now would draw a load more monitoring on my (as the blog says, it has to be actively monitored and is for an organisation with a robust presence. I would like to get our security team on board before implementing.

Hi Ruben, that did the trick. I set up the monitor, tested and deployed. Setting the reset to manual as well, so if there’s an attack overnight it won’t reset to green. Also included in the NOC Dashboard.