'Break-in' Attempt Notifications

I came across the Regulation and Event Log Compliance article and under item 3 it mentions "Immediate Email notification of break-in attempts, configured with thresholds". Is there anymore information on this such as how to set it up, which event IDs to look for, or etc.?

Comments

  • Implementing this would largely depend on your specific environment, but as a starting point you would want to monitor all failed logon attempts, in particular 4625 security events for example.

    The "Compliance" event log package which ships with EventSentry also contains a number of events you would want to look for in order to detect potentially malicious activity. You can download this package if you don't have it on your system.

    But like I mentioned earlier, there are many other events which may be the result of a break-in attempt, e.g. coming from a log file, Syslog or a SNMP trap. The more devices and data you monitor with EventSentry, the more likely it is that you will detect illegal activity. I would start with any service which faces the Internet and/or contains confidential information.

    We also have a number of tutorials and screen casts on the eventsentry.com web site, and also offer web-based training for a small fee.

    I hope this helps!
Sign In or Register to comment.