Skip to main content

Event Log Monitor

Alert when specific Windows Event IDs appear a defined number of times within a set time window.

Updated this week

Introduction

Watch the Windows Event Log for specific event IDs and alert when they appear too frequently. The Event Log monitor fires when a matching event occurs a defined number of times within your chosen time window β€” useful for catching brute-force login attempts, application crashes, disk errors, and other patterns that only matter in volume.

ℹ️ NOTE: The Event Log monitor currently supports Windows only. macOS and Linux support is coming in a future update.

Event Log Monitor

Level watches the Windows Event Log on covered devices for any of the event IDs you specify. When the matching events accumulate to your Occurrences count within the Duration window, an alert fires.

The combination of occurrences and duration is what makes this useful. Event ID 4625 (failed logon) appearing once isn't notable. Appearing 10 times in a minute is a brute-force attempt worth acting on immediately.

Configuring Event Log Monitor

Open the target monitor policy, then add or edit an Event Log monitor. The Edit monitor panel opens on the right.

Name and Type

  1. Enter a name in the Name field. Include the event ID and what it represents β€” "Failed Login Attempts (4625)" is immediately readable in an alert list.

  2. Set Type to Event log.

Severity

Set Severity based on what the event IDs represent in context:

  • Information

  • Warning

  • Critical

  • Emergency

Event IDs

Enter one or more Windows Event IDs to watch. Type an ID and press Tab or add a comma to add it as a tag, then continue entering more.

Event IDs

πŸ’‘ TIP: You can monitor multiple related event IDs in a single monitor. For example, group all failed authentication event IDs (4625, 4771, 4776) into one monitor rather than creating separate monitors for each.

Log Name

Enter the name of the Windows Event Log to watch. The field is case-insensitive. Common values:

  • Security β€” security and logon events

  • System β€” OS-level events, hardware, drivers

  • Application β€” application-generated events

Log Name

Source

Source is optional. Enter a source name to narrow the monitor to events from a specific application or component within the log. Leave blank to match the event IDs across any source in that log.

Source

Levels

Select one or more event log levels to match. Only events at the selected levels will count toward your occurrences threshold:

  • Information

  • Warning

  • Error

  • Critical

  • Verbose

Click the dropdown to add levels. Click Γ— next to a level chip to remove it. Click the Γ— on the right of the field to clear all selections.

Levels

ℹ️ NOTE: Windows Event Log levels and Level alert severity are separate concepts. The Levels field filters which event log entries are counted; Severity sets the priority of the alert Level creates.

Occurrences

Occurrences sets how many matching events must be detected within the duration window before an alert fires. Use the up/down arrows to set the value.

Occurrences

Duration

Duration sets the time window for counting occurrences. The unit dropdown lets you choose Minutes or Hours; the slider and up/down arrows set the value within that unit.

Duration

πŸ’‘ TIP: Match the duration window to the threat model. Failed logins are best monitored over a short window (e.g., 10 failures in 30 minutes) to catch active attacks. Application crashes might use a wider window (e.g., 5 crashes in 1 hour) to avoid alerting on isolated incidents.

Auto-Resolve

Auto-resolve alert if it is no longer applicable is disabled by default for Event Log monitors. Event-based alerts represent something that already happened β€” they don't have a "currently breached" state to clear automatically, so leaving auto-resolve off means alerts persist until a technician reviews and resolves them.

Auto Resolve

Remediation

Attach one or more automations to run when this monitor fires β€” isolate a device, reset a user account, create a ticket, or page your team.

  1. Click in the Remediation field and select an automation.

  2. To add more, click + Add another remediation.

  3. To remove one, click the Γ— next to it.

ℹ️ NOTE: Remediations run when the alert is created, not when it resolves.

Notifications

  • Send notifications on alert creation β€” policy recipients get an email when the alert fires

  • Send notifications on alert resolution β€” policy recipients get an email when the alert resolves

Recipients are managed at the monitor policy level, in the Recipients section.

Notifications

Saving the Monitor

Click Update monitor to save changes, or Add monitor when adding a new one.

FAQ

  • Who can create and edit monitors? Technicians with access to the relevant monitor policy. Permission settings are managed in Workspace β†’ Permissions.

  • Where do I find event IDs for the events I want to monitor? Windows Event Viewer is the fastest way β€” find an event you want to monitor, open its properties, and the Event ID is listed there. Microsoft's documentation and security references like the Windows Security Log Encyclopedia are also useful for common security event IDs.

  • Can I monitor the same event ID with different occurrence thresholds? Yes β€” create separate monitors for each threshold. For example, one monitor for 3 failed logins in 1 hour (Warning) and another for 10 in 1 minute (Critical).

  • Does the Event Log monitor work on macOS or Linux? No β€” Windows Event Log is a Windows-only feature. For log-based monitoring on macOS or Linux, use a Script Monitor that reads system logs directly.

  • What happens to open Event Log alerts if I delete the monitor? Existing alerts remain in place. Deleting a monitor doesn't close alerts it already created β€” resolve those manually.

Related Articles
Getting Started with Monitors
CPU Usage Monitor
Memory Usage Monitor
Process Monitor
Service Monitor
Did this answer your question?