cancel
Showing results for 
Search instead for 
Did you mean: 
dzh01
Level 9
Report Inappropriate Content
Message 1 of 5

Need help setting up alarms

Jump to solution

I want to have an email sent to me everytime an Admin account is created or an Admin account is locked out. I've created alarms before and have email notification set up. But how would I go and create these?

1 Solution

Accepted Solutions
penoffd
Level 10
Report Inappropriate Content
Message 2 of 5

Re: Need help setting up alarms

Jump to solution

Ideally you would want to have an internal event match, such as Event ID 407912448, to alert you to changes in admin level accounts.

Go to the "System Properties menu, "Alarms":

In Alarm Settings - Summary: Name, Conditions - Internal Event Match, Actions - Log Event, Create Case.  Check "Enabled" box and assign a severity.

In Alarm Settings  - Condition: Internal Event Match, Field - Normalized ID, Values - Event ID to trigger on, such as the one above.  Set the frequency at 10 minutes to start.

In Alarm Settings - Devices: No need to check anything here.

In Alarm Settings - Actions: Choose to Log Event, Create Case, etc., as desired.  In this tab you can use the "Send Message" checkbox to send an email to a recipient.

In Alarm Settings - Escalation: Again, choose as needed if so.  If not, leave empty.

Click "Finish" and your alarm is set.

Enjoy!

Dan

4 Replies
penoffd
Level 10
Report Inappropriate Content
Message 2 of 5

Re: Need help setting up alarms

Jump to solution

Ideally you would want to have an internal event match, such as Event ID 407912448, to alert you to changes in admin level accounts.

Go to the "System Properties menu, "Alarms":

In Alarm Settings - Summary: Name, Conditions - Internal Event Match, Actions - Log Event, Create Case.  Check "Enabled" box and assign a severity.

In Alarm Settings  - Condition: Internal Event Match, Field - Normalized ID, Values - Event ID to trigger on, such as the one above.  Set the frequency at 10 minutes to start.

In Alarm Settings - Devices: No need to check anything here.

In Alarm Settings - Actions: Choose to Log Event, Create Case, etc., as desired.  In this tab you can use the "Send Message" checkbox to send an email to a recipient.

In Alarm Settings - Escalation: Again, choose as needed if so.  If not, leave empty.

Click "Finish" and your alarm is set.

Enjoy!

Dan

Highlighted
dzh01
Level 9
Report Inappropriate Content
Message 3 of 5

Re: Need help setting up alarms

Jump to solution

Where do I find the correct Event IDs for the admin lockout or admin user change?

Re: Need help setting up alarms

Jump to solution

HI,

Did you find the event ID ?

Thanks

xded
Level 12
Report Inappropriate Content
Message 5 of 5

Re: Need help setting up alarms

Jump to solution

There is no special Event_ID for an Admin Lockout. But there is an Event ID for a Lockout for a Windows Account.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740

--> Event ID 4740

So now you need a list of all Adminaccounts (Watchlist)

Configure your alarm to take a look on the list if is the user from the Event log in this watchlist.

MPower Badge Now Available
Customers attending MPower can earn a community badge. Check into the MPower forum and say hi to have the badge awarded to your community profile.