Event Log Filters

Threshold Filters (Step 3 of 6)

When creating a standard include filter it will forward the event to the action every time the event occurs. Filter thresholds allow you to take actions based on when and how often the filter matches an event.

Detecting Security Breaches

Imagine the common situation where an employee types a wrong password when logging in. The event generated would be an accident, not a critical security breach. However, if 10+ wrong password attempts were generated in under a few minutes you would want to be alerted.

Limiting Redundant Notifications

Filter thresholds can also be used to prevent a filter from flooding an action. An example of this is when Windows writes an event every second to the System log when it discovers a bad block on disk. This is an event you will most likely wish to know about, but you probably do not want to receive 1,000+ emails in 10 minutes.

Event Logging

There is also the option to generate events in the Information log that indicates when the threshold was met. These events can be used to ensure the threshold is configured correctly and even be sent out as a notification.