-
Notifications
You must be signed in to change notification settings - Fork 0
/
PS Login Monitor - MSSQL.xml
50 lines (50 loc) · 2.13 KB
/
PS Login Monitor - MSSQL.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Description>Triggered by event IDs 17828, 17832, 17836 and 18456 in the Windows event log which indicate failed SQL Server login attempts.</Description>
<URI>\PS Login Monitor - MSSQL</URI>
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription><QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[(Level=2 or Level=4 or Level=0) and (EventID=17828 or EventID=17832 or EventID=17836 or EventID=18456)]]</Select></Query></QueryList></Subscription>
<!-- MSSQL event data. -->
<ValueQueries>
<Value name="EventData">Event/EventData/Data</Value>
<Value name="EventID">Event/System/EventID</Value>
</ValueQueries>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>false</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
<Priority>0</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>powershell.exe</Command>
<Arguments>-command "& {. .\PSLoginMonitor.ps1; On-FailedMSSQLLogin '$(EventID)' '$(EventData)'}"</Arguments>
<WorkingDirectory></WorkingDirectory>
</Exec>
</Actions>
</Task>