Excessive Alerts Detected when more than 25 Events in 24 hours

Download JSON Download Python

Ratings

Release Time

09/01/2022

Downloads

445 times

Update Time

04/04/2025

Views

504 times

Share-it:

Tags

detected Event id NUMsp

Note:

Run the script as custom monitoring
https://wiki.comodo.com/frontend/web/topic/how-to-use-custom-script-procedure-monitoring

Procedure's Instructions

#To define a particular parameter, replace the 'parameterName' inside itsm.getParameter('parameterName') with that parameter's name
event_exceed = 25   # Maximum events excced in the duretion time      
duration = 24         #Duration in hrs
import subprocess
import ctypes
from collections import Counter
import sys

def alert(arg):
    sys.stderr.write("%d%d%d" % (arg, arg, arg))
    
class disable_file_system_redirection:
    _disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
    _revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
    def __enter__(self):
        self.old_value = ctypes.c_long()
        self.success = self._disable(ctypes.byref(self.old_value))
    def __exit__(self, type, value, traceback):
        if self.success:
            self._revert(self.old_value)

def ecmd(ps_command):
    with disable_file_system_redirection():
        process=subprocess.Popen('powershell "%s"'%ps_command, shell=True, stdout=subprocess.PIPE)
    result=process.communicate()
    ret=process.returncode
    if ret==0:
        if result[0]:    
            return result[0].strip()
        else:
            return None
    
    else:   
        return '%s\n%s'%(str(ret), str(result[1]))

ps_command1=r'Get-EventLog -LogName "system" -EntryType "error" -After (Get-Date).AddHours(-%d) |Select-Object -Property EventId'%duration
data1 = ecmd(ps_command1)
ps_command2=r'Get-EventLog -LogName "system" -EntryType "warning" -After (Get-Date).AddHours(-%d) |Select-Object -Property EventId'%duration
data2 = ecmd(ps_command2)
ps_command3=r'Get-EventLog -LogName "application" -EntryType "error" -After (Get-Date).AddHours(-%d) |Select-Object -Property EventId'%duration
data3 = ecmd(ps_command3)
ps_command4=r'Get-EventLog -LogName "application" -EntryType "warning" -After (Get-Date).AddHours(-%d) |Select-Object -Property EventId'%duration
data4 = ecmd(ps_command4)
event_ids = []
if data1 != None:
    [event_ids.append(i) for i in data1.split('\r')[2:]]
if data2 != None:
    [event_ids.append(i) for i in data2.split('\r')[2:]]
if data3 != None:
    [event_ids.append(i) for i in data3.split('\r')[2:]]
if data4 != None:
    [event_ids.append(i) for i in data4.split('\r')[2:]]

data = dict(Counter(event_ids))
events_list = []
for a, b in data.items():
    if b > event_exceed:
        events_list.append(a)

if len(events_list) > 0:
    print "List of Events Exceed %s"%event_exceed
    print events_list
    alert(1)
else:
    alert(0)

 
#To define a particular parameter, replace the 'parameterName' inside itsm.getParameter('parameterName') with that parameter's name
event_exceed = 25   # Maximum events excced in the duretion time      
duration = 24         #Duration in hrs
import subprocess
import ctypes
from collections import Counter
import sys
​
def alert(arg):
    sys.stderr.write("%d%d%d" % (arg, arg, arg))
    
class disable_file_system_redirection:
    _disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
    _revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
    def __enter__(self):
        self.old_value = ctypes.c_long()
        self.success = self._disable(ctypes.byref(self.old_value))
    def __exit__(self, type, value, traceback):
        if self.success:
            self._revert(self.old_value)
​
def ecmd(ps_command):
    with disable_file_system_redirection():
        process=subprocess.Popen('powershell "%s"'%ps_command, shell=True, stdout=subprocess.PIPE)
    result=process.communicate()
    ret=process.returncode
    if ret==0:
        if result[0]:    
            return result[0].strip()
        else:
            return None
    
    else:   
        return '%s\n%s'%(str(ret), str(result[1]))
​
​
ps_command1=r'Get-EventLog -LogName "system" -EntryType "error" -After (Get-Date).AddHours(-%d) |Select-Object -Property EventId'%duration
data1 = ecmd(ps_command1)
ps_command2=r'Get-EventLog -LogName "system" -EntryType "warning" -After (Get-Date).AddHours(-%d) |Select-Object -Property EventId'%duration
data2 = ecmd(ps_command2)
ps_command3=r'Get-EventLog -LogName "application" -EntryType "error" -After (Get-Date).AddHours(-%d) |Select-Object -Property EventId'%duration
data3 = ecmd(ps_command3)
ps_command4=r'Get-EventLog -LogName "application" -EntryType "warning" -After (Get-Date).AddHours(-%d) |Select-Object -Property EventId'%duration
data4 = ecmd(ps_command4)
event_ids = []
if data1 != None:
    [event_ids.append(i) for i in data1.split('\r')[2:]]
if data2 != None:
    [event_ids.append(i) for i in data2.split('\r')[2:]]
if data3 != None:
    [event_ids.append(i) for i in data3.split('\r')[2:]]
if data4 != None:
    [event_ids.append(i) for i in data4.split('\r')[2:]]
​
​
data = dict(Counter(event_ids))
events_list = []
for a, b in data.items():
    if b > event_exceed:
        events_list.append(a)
​
if len(events_list) > 0:
    print "List of Events Exceed %s"%event_exceed
    print events_list
    alert(1)
else:
    alert(0)
​

Comments

No Comments.

Excessive Alerts Detected when more than 25 Events in 24 hours

Comments

Leave a Comment