Excessive Logon Attempts

Summary

The condition runs the Excessive Logon Attempts automation once per minute and generates a ticket with the script’s results if any monitored event log is detected.

Details

Name: Excessive Logon Attempts
Description: The condition runs the automation once per minute and generates a ticket with the script’s results if any monitored event log is detected.
Recommended Agent Policies: Windows Server [Default]

Dependencies

Condition Creation

Conditions can be configured within an Agent Policy. This document provides an example using the default Windows Server [Default] policy for demonstration purposes.

Navigate to Administration > Policies > Agent Policies.

Search for Windows Server and select the default Windows Server [Default] policy.
DefaultWindowsServer

This will navigate you to the policy's landing page, which is the Conditions section. Note that conditions may vary across different policies and environments. The provided screenshot is for demonstration purposes only.

Click the Add a condition button to add a new condition.
AddACondition

The Condition screen will appear.
ConditionScreen

Condition

Click the Select a condition button to select the condition.
SelectACondition

Following screen will appear.
SelectConditionWindow

Select the Script Result Condition from the dropdown menu.
ConditionDropdown

The Script Result Condition configuration screen will appear.
ScriptResultConditionConfig

Enter the following details and click Apply.

Condition: Script Result Condition
Evaluation Script: Search and select Excessive Logon Attempts. Provide the desired value for Threshold and Minutes parameters.
Run Every: 0 Hours 1 Minutes
Timeout: 0 Hours 5 Minutes
Result Code: equal to 1
With Output: Contains Logon Type Reference Table:

Condition so far after clicking the Apply button.

Configuration

Set the following details:

Name: Excessive Logon Attempts
Severity: Major
Priority: High
Auto-reset: After 1 Hour When no longer met
Channel(s): <Leave it blank>
Notify Technician: Do not send notifications
ConnectWise: Create a ticket
Ticket Template: Excessive Logon Attempts
Ticketing Rule: Off

Note: The details above may differ depending on environment. Please verify the required information with consultant or partner before completing these fields.

Saving the Condition

Click the Add button to save the condition.

Completed Condition

Saving Agent Policy

Click the Save button located at the top-right corner of the screen to save the agent policy.
Save

You will be prompted to enter your MFA code. Provide the code and press the Continue button to finalize the process.
MFA

Summary​

Details​

Dependencies​

Condition Creation​

Condition​

Configuration​

Saving the Condition​

Completed Condition​

Saving Agent Policy​

Ticket Output Example​