Trigger Action when 2 or multiple separate events occur within certain time period

edited June 2016 in EventSentry [General]

we are trying to achieve the following:
If 2 or more seperate events, which have different event ids and sources, occur within a certain time period, we should be notified by email.
You could think of this as a event chain.
Example of event chain:
1. Microsoft EMET mitigation event (possible exploitation of IEXPLORE.EXE) is logged
2. Application Crash event of IEXPLORE.EXE is logged
3. Software Restriction Policies or AppLogger event is logged

This event chain would give us a clue about a possible malware infection, if logged during lets say 1 minute on the same server.
Theres more ideas about further interesting event chains.

Currently I am unsure how to set this up.
The Treshold option only applies to one include filter and I think it is no good idea to have one include filter looking up all these above events alltogether, because this would also trigger an Action if there were several Application Crashes during the defined treshold interval.

It would be nice if you could help me out on this.

Thanks and regards


  • Hi Stefan,

    Chaining events (or filters), like you described, is unfortunately not currently supported. It has been mentioned by users before however, and I will make sure that we boost the priority of this feature request so that it gets implemented soon.

    Using a threshold may be a work-around for the time being, although I understand that it's not ideal for the reasons you mentioned.

    We will do some research on our end, if this is possible without a new feature then we'll let you know.

    Please also free to suggest this new feature at

    Thank you!
  • Hello Ingmar,

    thank you for your response. I just added a feature request.
    I hope this feature will be implemented as this would enhance your product in my eyes.
  • Hello,
    I've read the event chaining is possbile with version 3.3.
    Where can I find some examples?

  • Hi Thorsten,

    Sorry for the delay in responding. Filter chaining is described in our documentation:

    We don't have any tutorials yet since the feature is pretty new, but the idea is that you can trigger an event (and subsequently an action) when a number of (related) events occur within a certain time period.

    Stefan uses it for security reasons, but I could think of other scenarios as well. For example, chaining multiple performance counter alerts, or file checksum alerts chained with software/service installation events.

    I hope this helps, let us know if you need more clarification. Thanks!
Sign In or Register to comment.