locked
Create scheduled task what triggers when it detects some event number (4625) RRS feed

  • Question


  • 499/5000

    Hello community,

    I'm trying to create a monitor that notifies me by mail when a 4625 event occurs.

    I have created a task associated with that event which is triggered by executing a .ps1 script with the information of the event and the data for sending mail.

    I would like to use this system, but that the task is triggered when it detects several events 4625 in a certain time (for example 10 in 2 minutes).

    How could I run it like this? My content of .ps1:

    $EmailPropio = "mail.mail.es";
    $EmailDestino = "mail.mail.com";
    $Asunto = "Intento de acceso a X"
    $evento = Get-EventLog -LogName "Security" -Newest 1
    $Mensaje = @"
    Evento a revisar en $($evento.MachineName)
    Identificador: $($evento.EventId)
    Fuente: $($evento.Source)
    Tipo:  $($evento.EntryType)
    Fecha / Hora:  $($evento.TimeGenerated)
    Texto:  $($evento.Message)
    "@
    $ServidorSMTP = "mail.mail.es"
    $ClienteSMTP = New-Object Net.Mail.SmtpClient($ServidorSMTP, 25)
    $ClienteSMTP.Credentials = New-Object System.Net.NetworkCredential("mail@mail.es, "******");
    $ClienteSMTP.Send($EmailPropio, $EmailDestino, $Asunto, $Mensaje)


    • Moved by Bill_Stewart Friday, March 9, 2018 7:41 PM This is not "scripts on demand"
    Monday, December 4, 2017 4:07 PM

All replies

  • This forum doesn't offer fully made solutions. We're here to help with specific scripting issues and errors.

    What have you tried so far and what errors are you getting?

    Monday, December 4, 2017 4:48 PM
  • Events in the event log execute a script once for each event.  Search for examples of creating event log tasks.

    https://technet.microsoft.com/en-us/library/cc748900(v=ws.11).aspx

    There are many blog articles that describe this in more detail.


    \_(ツ)_/


    • Edited by jrv Monday, December 4, 2017 6:47 PM
    Monday, December 4, 2017 6:46 PM
  • Hi,

    I'm not looking for any solution already made, I'm looking for help with a technical question to complete my script, but thanks for your input as well.

    Tuesday, December 5, 2017 12:39 PM
  • thank you very much, but I have created the task, what I do not get is that the part of script that compares the dates of the last 5 events of theSecurity EventLog related to id 4625. I have the following:

    $date = Get-Date

    $event = Get-EventLog -LogName Security -InstanceId 4625 -Newest 5

    If ($event.TimeGenerated -le $date)

    { (mail options)

    }

    but I can not get the execution to compare the dates of the last 5 events.

    Tuesday, December 5, 2017 12:45 PM
  • UPDATE:

    I created:

    $date = Get-Date

    $event = Get-EventLog -LogName Security -InstanceId 4625 -Newest 5

    If ($event.TimeGenerated -le $date)

    { (mail options)

    In the Script but I can not get the execution to compare the dates of the last 5 events.

    }

    but I can not get the execution to compare the timedates of the last 5 events. :(

    Tuesday, December 5, 2017 12:47 PM
  • It is impossible to understand what you are asking.

    Why do you need to  compare the dates?  What is the purpose for this?

    The code you have posted makes no sense.  Of course all dates will be less than the current date.

    What are you trying to compare?


    \_(ツ)_/

    Tuesday, December 5, 2017 12:51 PM
  • I trying to compare the time of the last 5 events from id 4625, so that in case they are the same, send a notification by mail.
    The purpose of the script is to report brute force attacks, detect concurrent failed access attempts.
    Tuesday, December 5, 2017 1:14 PM
  • No two events will ever be the same time.  Events are logged serially and generated serially.  You cannot detect what you are trying to detect and there event log is not the correct tool for doing this.

    What you want is to detect every event and measure the time difference between them.  This can be done in a database.  There are many third party tools that detect break-ins using many more accurate and better methods.


    \_(ツ)_/

    Tuesday, December 5, 2017 1:19 PM