Monitoring and alerting on the runtime duration of processes

This guide demonstrates how to set up EventSentry to trigger an alert when a process runs longer than a specified duration. We will use PowerShell as the example for this configuration.

Open EventSentry Management Console
From the left menu tree expand Packages and click on System Health (1)
From the top ribbon, click on ADD to add a new Package (2)
Name the Package (Ex: Threat Intel) and press enter (3)

Screenshot 1 — Creating the Package

Right-click on the just-created filter (1) click on add (2) then Performance / SNMP (3), and then click on the new filter

Screenshot 2 — Adding a performance object

Click on the just-created package (Performance / SNMP) (1)
From the right windows click on (+) button (2), and a new window will open
Under General / Name, Enter the desired name for this performance object (3)
Right to the Windows Counter, enter “Process()\Elapsed Time” (4) or you can also click on Browse, select “Preocess” and under the counter “Elapsed time” and click ok. In that case, be sure to replace “_Total” with “”
Change the “Exclusions” drop down, to “Inclusions” (5)
enter “PowerShell*” (6)
Enter a Description for the counter (Optional) (7)
Click on the Alert Tab (8)

Screenshot 3 — Configuring a performance object

In Alert tab, check that “Enable Event Log Alert” and Warning are selected (1)
Set Alert if value is “more than” (2)
The first field is expressed in seconds, for this example we use 600 (10 minutes) (3)
for “1” / “Second(s)” (4)
Click OK (5) to finish editing the object.

Screenshot 4 — Assigning the package

Be sure to assign the package by right clicking on the package, clicking “Assign” and selecting the Computers or Groups to assign this package to. You can alternatively make the package Global (to apply to all hosts)

Screenshot 5 — Configuring the alert threshold

Explanation: We just created a package (Thread Intel) with a Performance / SNMP object, that will monitor all “powershell*” processes (the * is needed because multiple PowerShell instances will be named powershell#1 powershell#2 and so on). An alert will be generated in the event log if the process is running for more than 600 seconds (10 minutes).