Skip to content

Successful Login Alert after Minimum 5 Failed Attempts on the same User in 10 Minutes

Alert Purpose

  • Failed login attempts
  • Successful login attempt

Data Sources Needed

  • Windows Security Log with Logon audits enabled in GPO

    Alt Image


How to create alert ALERTDEV-25

  1. Open CQ web interface.

  2. Go to “Settings > Alerts > Realtime”

  3. Create a new alert , press “Create new alert definition” button.

  4. Create the first Rule for identify the “Windows 4625 Failed Logon“, press “Add field condition” button, select EventID = 4625

  5. Add a second rule and press “Add correlation condition” button, select “UserName = Rule No. 1 UserName”.

  6. Add rule 3 and select “Add correlated condition” (UserName = Rule No. 1 Username) and “Add field condition” (EventID = 4624).

  7. Save Alert & Exit

Alert Object

Test Events