What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Monitor Brute Force Attacks in Network

Votes:

0

We want to monitor and alarm brute force attacks on domain logins. We tried to setup a sensor to fetch Eventlogs from our DomainController with ID 4771. Unfortunately, we cannot further specify, that only a lot of events in a short time is relevant for an alarm regarding brute force. At the moment, every failed login attempt generates an alarm, this is not what we want. Does anyone have an idea how to realize such a task? Maybe another sensor can fulfill this requirements better?

Regards, Thomas

bruteforce eventlog failed-logins

Created on Mar 9, 2021 8:18:07 AM



1 Reply

Votes:

0

Hello Thomas,

Thank you for your message.

Regarding what you would like to achieve, the best way would be to write a custom script (and use it with an EXE/script sensor) to get the number of events with ID 4771, and then check their number over a specific time period.

To get the event logs with the ID you mentioned, you can use one of the following PowerShell cmdlets: Get-EventLog, Get-WinEvent.

Here is an article which might help you to filter the logs: https://adamtheautomator.com/get-eventlog/

Then, you can return many information in PRTG such as if a brute force is currently happening (and configure a limit on it to trigger notification) and how many attempts are made over the period configured in the script.

Here is the manual which shows how to return information in PRTG via a script: https://www.paessler.com/manuals/prtg/custom_sensors

If you have further questions, let us know.

Regards.

Created on Mar 9, 2021 12:00:51 PM by Florian Lesage [Paessler Support]

Last change on Mar 9, 2021 12:02:19 PM by Florian Lesage [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.