I’ve spent a few hours on this today using various settings. I just can’t get the profile to trigger based on an event ID.
I’m looking for Security event 4625 (unsucessful login) using “Monitoring” and have “event ID = 4625” set in the conditions. The profile is associated with the machine and set to produce an alert on detection.
My problem is that it just wont detect. Has anyone else found this? What is the resolution?
What I’m not 100% with is the piece of code that states " -After (Get-Date).AddMinutes(0) " which I believe is looking for an event created at the current time (and date). What I’m not sure about is that is this custom script is set to run every 15 minutes (as per the recommendation) then surely this needs to be set as " -After (Get-Date).AddMinutes(-15) " so that its looking for the event having been generated within the previous 15 minutes.
Hello @ftechservices
We reached out to the script developers to check the script that you are testing if improvements can be made on it. Rest assured that we will get back to you once we get word from the team. We appreciate your patience on the matter.