Level

Event Log Monitor lets you watch for specific Event IDs. Define the log source and Event ID(s); then define how many times the event must occur in a given timeframe before an alert is raised or an automation is triggered.

- Excessive failed log‑ons
- Malware detections from a security tool
- Service crashes or restarts
- Application errors

With highly targeted rules, you surface the events that matter and ignore the rest.

___________________________________________________________

Navigate to Policy -&gt; Monitors -&gt; Add or choose an existing Monitor Policy and choose Add new monitor.

Name – Give the monitor a name - the name is what shows in the alert, e.g. "Application crashed 5 times in the last hour"

Severity – The alert priority you want to raise (Information, Warning, Error, Critical) – independent of the OS event level.

Event IDs – One or more numeric IDs (press Tab or type a comma between IDs).

Log name – Case‑insensitive channel name, e.g. <code>Security</code>, <code>System</code>, <code>Application</code>

Source (optional) – Event Source/Provider string if you need to narrow further (e.g. <code>Outlook</code>, <code>VSS</code>, <code>Kernel-General</code>).

Levels (optional) – Filter on Windows event level (Information, Warning, Error, Critical, Verbose). Leave blank to match any.

Occurrences &amp; Duration – Specify how many matching events must occur within the chosen time window before an alert is triggered. ​Example: <code>5</code> occurrences in <code>1</code> minute

Auto‑resolve – Enable to clear the alert automatically once the condition is no longer met.

Automations (optional) – Select a predefined automation to run when the alert fires (e.g. disable the local account, kick off a remediation script).

Notifications (optional) – Enable if you want email notifications when the alert is created or resolved.

1. Navigate to Policy -&gt; Monitors -&gt; Add or choose an existing Monitor Policy and choose Add new monitor.
2. Name – Give the monitor a name - the name is what shows in the alert, e.g. "Application crashed 5 times in the last hour"
3. Type - Chose Event Log
4. Severity – The alert priority you want to raise (Information, Warning, Error, Critical) – independent of the OS event level.
5. Event IDs – One or more numeric IDs (press Tab or type a comma between IDs).
6. Log name – Case‑insensitive channel name, e.g. <code>Security</code>, <code>System</code>, <code>Application</code>
7. Source (optional) – Event Source/Provider string if you need to narrow further (e.g. <code>Outlook</code>, <code>VSS</code>, <code>Kernel-General</code>).
8. Levels (optional) – Filter on Windows event level (Information, Warning, Error, Critical, Verbose). Leave blank to match any.
9. Occurrences &amp; Duration – Specify how many matching events must occur within the chosen time window before an alert is triggered. ​Example: <code>5</code> occurrences in <code>1</code> minute
10. Auto‑resolve – Enable to clear the alert automatically once the condition is no longer met.
11. Automations (optional) – Select a predefined automation to run when the alert fires (e.g. disable the local account, kick off a remediation script).
12. Notifications (optional) – Enable if you want email notifications when the alert is created or resolved.

The rule is immediately pushed to all tagged endpoints that match the policy.

Tip – If the rule never triggers, check that Windows Logon Failure auditing is enabled.

Be specific – Combine Event ID with Log name (and Source or Level) to reduce false positives.

Use thresholds – In our example above, a single failed log‑on is usually noise; ten in a minute deserves attention.

Pair alerts with automations – For example, run a script to disable an offending account or react in realtime to collect more diagnostics.

Start narrow, expand later – Begin with one or two high‑value rules (e.g. 1102, 1116) before adding broader coverage.

- Be specific – Combine Event ID with Log name (and Source or Level) to reduce false positives.
- Use thresholds – In our example above, a single failed log‑on is usually noise; ten in a minute deserves attention.
- Pair alerts with automations – For example, run a script to disable an offending account or react in realtime to collect more diagnostics.
- Start narrow, expand later – Begin with one or two high‑value rules (e.g. 1102, 1116) before adding broader coverage.

Q Can I monitor multiple Event IDs in one rule? Yes—separate them with commas or hit Tab after each ID.

Track critical Windows events and turn them into actionable alerts without drowning in log noise.

Monitors - Event Logs

Create a custom design with text, images, and links

Level Status

Feature Request

Home

Find answers and get help from Intercom Support and Community Experts

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

Field	Value
Event ID	`4625`
Log name	`Security`
Levels	leave blank
Source	leave blank
Occurrences	10
Duration	`1` minute
Alert severity	`Warning`

Monitors - Event Logs

1  Overview

2  Creating an Event Log Monitor

4  Example

Detect possible brute‑force log‑ons

5  Best Practices

6  FAQ

Monitors - Event Logs

1 Overview

2 Creating an Event Log Monitor

4 Example

Detect possible brute‑force log‑ons

5 Best Practices

6 FAQ

1  Overview

2  Creating an Event Log Monitor

4  Example

5  Best Practices

6  FAQ