Receiving security alerts via email (or similar notifications) often requires additional steps so that your email inbox is not flooded with audit failure events.
Filter thresholds allow you to accommodate most scenarios in which you want to receive notifications based on events in the security event log. Common scenarios include requirements such as:
•be notified if a user attempts to login with a wrong password more then X times in Y minutes
•be notified if there are a large amount of audit failures during a short time interval
•be notified when a .exe file in the system32 directory has been modified
•be notified when certain applications (.exe files) are launched
The pages in this chapter will explain how to accomplish some of the above scenarios using filters and threshold options. Please click the following links for more examples:
1.Threshold filter to detect a large amount of audit failures
2.Threshold filter to be notified when a user logs in with wrong password
3.Include filter to detect file changes in selected directories
