{ "id": "57b399a8-8cb4-492d-b8ce-3a97b3b524f5", "rev": 1, "v": "1", "name": "Windows Authentication Failure Monitoring", "summary": "Content Pack for Monitoring Authentication Failures in Windows Security Logs", "description": "A monitoring content pack that combines Input, Stream, Dashboard, Event Definitions, and Email Notification features for Windows Security log Event IDs 4625, 4771, and 4776.", "vendor": "DesigNET.inc", "url": "", "created_at": "2026-04-08T02:40:21.586Z", "server_version": "7.0.5+1a1d8ce", "parameters": [ { "name": "input_bind_address", "title": "Input bind address", "description": "Bind address for the Windows log input. Set during content pack installation.", "type": "string", "default_value": "0.0.0.0" }, { "name": "input_port", "title": "Input port", "description": "Listening port for the Windows log input. Set during content pack installation.", "type": "integer", "default_value": 10514 }, { "name": "privileged_account_query", "title": "Privileged account query", "description": "Search query used to detect authentication failures against privileged accounts.", "type": "string", "default_value": "TargetUserName:Administrator OR TargetUserName:admin" } ], "entities": [ { "id": "52595ed0-6116-4217-9e2e-2f603c00eb5f", "type": { "name": "dashboard", "version": "2" }, "v": "1", "data": { "summary": { "@type": "string", "@value": "A dashboard that visualizes authentication failure events in the Windows Security log" }, "search": { "queries": [ { "id": "fe014ead-ed30-4a07-ac78-91a089eea7d9", "timerange": { "from": 3600, "type": "relative" }, "filter": { "type": "or", "filters": [ { "type": "stream", "id": "29a61614-46bc-4cbd-a118-5d363b5971b4" } ] }, "filters": [], "query": { "type": "elasticsearch", "query_string": "" }, "search_types": [ { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "from": 3600, "type": "relative" }, "column_limit": null, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "row_limit": null, "series": [ { "type": "count", "id": "Count", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "time", "fields": [ "timestamp" ], "interval": { "type": "timeunit", "timeunit": "5m" } } ], "type": "pivot", "stream_categories": [], "id": "131bf5d8-bb5e-4444-939a-3aa1c9cd12e0", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": null, "timerange": { "from": 3600, "type": "relative" }, "offset": 0, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "filter": null, "decorators": [], "type": "messages", "stream_categories": [], "id": "b0e05a19-e069-4124-99fd-d96aab61d806", "limit": 150, "filters": [] }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "from": 3600, "type": "relative" }, "column_limit": null, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "row_limit": null, "series": [ { "type": "count", "id": "Count", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "EventID" ], "limit": 10, "skip_empty_values": false } ], "type": "pivot", "stream_categories": [], "id": "40e88697-a2ec-431f-80a2-4df5888cacd4", "filters": [], "column_groups": [], "sort": [ { "type": "series", "field": "count()", "direction": "Descending" } ] }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": null, "timerange": { "from": 3600, "type": "relative" }, "offset": 0, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "filter": null, "decorators": [], "type": "messages", "stream_categories": [], "id": "e16ca686-7f6a-4925-9c04-b7acc607d71b", "limit": 150, "filters": [] }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "from": 3600, "type": "relative" }, "column_limit": null, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "row_limit": null, "series": [ { "type": "count", "id": "count()", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "time", "fields": [ "timestamp" ], "interval": { "type": "auto", "scaling": 1 } } ], "type": "pivot", "stream_categories": [], "id": "91363a77-fa59-4e6f-8386-95ec30d3ebdf", "filters": [], "column_groups": [], "sort": [] }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "from": 3600, "type": "relative" }, "column_limit": null, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "row_limit": null, "series": [ { "type": "count", "id": "Count", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "IpAddress" ], "limit": 10, "skip_empty_values": false } ], "type": "pivot", "stream_categories": [], "id": "a8510b47-284c-412a-803a-af2e8b554f2e", "filters": [], "column_groups": [], "sort": [ { "type": "series", "field": "count()", "direction": "Descending" } ] }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "from": 3600, "type": "relative" }, "column_limit": null, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "row_limit": null, "series": [ { "type": "count", "id": "Count", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "source" ], "limit": 10, "skip_empty_values": false } ], "type": "pivot", "stream_categories": [], "id": "7659cf47-e4ae-4d60-a061-1782a7470cd0", "filters": [], "column_groups": [], "sort": [ { "type": "series", "field": "count()", "direction": "Descending" } ] }, { "query": { "type": "elasticsearch", "query_string": "" }, "name": "chart", "timerange": { "from": 3600, "type": "relative" }, "column_limit": null, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "row_limit": null, "series": [ { "type": "count", "id": "Count", "field": null } ], "filter": null, "rollup": true, "row_groups": [ { "type": "values", "fields": [ "TargetUserName" ], "limit": 10, "skip_empty_values": false } ], "type": "pivot", "stream_categories": [], "id": "b5b4509b-00d0-464c-8651-d215a928e829", "filters": [], "column_groups": [], "sort": [ { "type": "series", "field": "count()", "direction": "Descending" } ] } ] } ], "parameters": [], "requires": { }, "owner": "admin", "created_at": "2026-03-18T02:29:30.801Z" }, "created_at": "2026-03-18T01:48:46.243Z", "requires": { }, "state": { "fe014ead-ed30-4a07-ac78-91a089eea7d9": { "selected_fields": null, "static_message_list_id": null, "titles": { "widget": { "c2e26a60-257f-4640-950b-26fe001d97a4": "Message Count", "3158e5d3-8eac-450f-9402-36675894ff0c": "All Messages", "be3336d6-f93f-439a-8ecb-687997b095d0": "Top Users by Number of Failures", "fd190e09-32fa-48d5-a0fa-98d2d4dab115": "Top IP Addresses by Number of Failures", "bea2908f-a44e-4482-ae67-a1b391bb7909": "Top Hosts by Number of Failures", "4a5ab043-df3c-4e7d-80c1-32e5e4ffa43c": "Trend in the Number of Authentication Failures", "83ae141f-fa67-4c0d-97c6-86c111a44527": "Breakdown of authentication failure types", "c0628f09-6653-4beb-a844-34b603728463": "Recent authentication failure events" } }, "widgets": [ { "config": { "visualization": "table", "units": { }, "column_limit": null, "event_annotation": false, "row_limit": 10, "row_pivots": [ { "fields": [ "TargetUserName" ], "type": "values", "config": { "limit": 10 } } ], "series": [ { "config": { "name": "Count", "thresholds": [] }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [], "show_row_numbers": true }, "formatting_settings": null, "sort": [ { "type": "series", "field": "count()", "direction": "Descending" } ] }, "query": { "type": "elasticsearch", "query_string": "" }, "context": null, "timerange": { "from": 3600, "type": "relative" }, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "filter": null, "type": "aggregation", "stream_categories": [], "id": "be3336d6-f93f-439a-8ecb-687997b095d0", "filters": [], "description": null }, { "config": { "visualization": "pie", "units": { }, "column_limit": null, "event_annotation": false, "row_limit": 10, "row_pivots": [ { "fields": [ "EventID" ], "type": "values", "config": { "limit": 10 } } ], "series": [ { "config": { "name": "Count", "thresholds": [] }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [ { "type": "series", "field": "count()", "direction": "Descending" } ] }, "query": { "type": "elasticsearch", "query_string": "" }, "context": null, "timerange": { "from": 3600, "type": "relative" }, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "filter": null, "type": "aggregation", "stream_categories": [], "id": "83ae141f-fa67-4c0d-97c6-86c111a44527", "filters": [], "description": null }, { "config": { "visualization": "table", "units": { }, "column_limit": null, "event_annotation": false, "row_limit": 10, "row_pivots": [ { "fields": [ "IpAddress" ], "type": "values", "config": { "limit": 10 } } ], "series": [ { "config": { "name": "Count", "thresholds": [] }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [], "show_row_numbers": true }, "formatting_settings": null, "sort": [ { "type": "series", "field": "count()", "direction": "Descending" } ] }, "query": { "type": "elasticsearch", "query_string": "" }, "context": null, "timerange": { "from": 3600, "type": "relative" }, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "filter": null, "type": "aggregation", "stream_categories": [], "id": "fd190e09-32fa-48d5-a0fa-98d2d4dab115", "filters": [], "description": null }, { "config": { "fields": [ "timestamp", "source" ], "units": { }, "show_message_row": true, "show_summary": true, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] }, "query": { "type": "elasticsearch", "query_string": "" }, "context": null, "timerange": { "from": 3600, "type": "relative" }, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "filter": null, "type": "messages", "stream_categories": [], "id": "3158e5d3-8eac-450f-9402-36675894ff0c", "filters": [], "description": null }, { "config": { "fields": [ "timestamp", "source", "EventID", "TargetUserName", "IpAddress" ], "units": { }, "show_message_row": true, "show_summary": false, "decorators": [], "sort": [ { "type": "pivot", "field": "timestamp", "direction": "Descending" } ] }, "query": { "type": "elasticsearch", "query_string": "" }, "context": null, "timerange": { "from": 3600, "type": "relative" }, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "filter": null, "type": "messages", "stream_categories": [], "id": "c0628f09-6653-4beb-a844-34b603728463", "filters": [], "description": null }, { "config": { "visualization": "bar", "units": { }, "column_limit": null, "event_annotation": false, "row_limit": null, "row_pivots": [ { "fields": [ "timestamp" ], "type": "time", "config": { "interval": { "type": "auto", "scaling": 1 } } } ], "series": [ { "config": { "name": null, "thresholds": [] }, "function": "count()" } ], "rollup": true, "column_pivots": [], "visualization_config": null, "formatting_settings": null, "sort": [] }, "query": { "type": "elasticsearch", "query_string": "" }, "context": null, "timerange": { "from": 3600, "type": "relative" }, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "filter": null, "type": "aggregation", "stream_categories": [], "id": "c2e26a60-257f-4640-950b-26fe001d97a4", "filters": [], "description": null }, { "config": { "visualization": "table", "units": { }, "column_limit": null, "event_annotation": false, "row_limit": 10, "row_pivots": [ { "fields": [ "source" ], "type": "values", "config": { "limit": 10 } } ], "series": [ { "config": { "name": "Count", "thresholds": [] }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "pinned_columns": [], "show_row_numbers": true }, "formatting_settings": null, "sort": [ { "type": "series", "field": "count()", "direction": "Descending" } ] }, "query": { "type": "elasticsearch", "query_string": "" }, "context": null, "timerange": { "from": 3600, "type": "relative" }, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "filter": null, "type": "aggregation", "stream_categories": [], "id": "bea2908f-a44e-4482-ae67-a1b391bb7909", "filters": [], "description": null }, { "config": { "visualization": "bar", "units": { }, "column_limit": null, "event_annotation": false, "row_limit": null, "row_pivots": [ { "fields": [ "timestamp" ], "type": "time", "config": { "interval": { "type": "timeunit", "value": 5, "unit": "minutes" } } } ], "series": [ { "config": { "name": "Count", "thresholds": [] }, "function": "count()" } ], "rollup": false, "column_pivots": [], "visualization_config": { "barmode": "group", "axis_type": "linear" }, "formatting_settings": null, "sort": [] }, "query": { "type": "elasticsearch", "query_string": "" }, "context": null, "timerange": { "from": 3600, "type": "relative" }, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "filter": null, "type": "aggregation", "stream_categories": [], "id": "4a5ab043-df3c-4e7d-80c1-32e5e4ffa43c", "filters": [], "description": null } ], "widget_mapping": { "83ae141f-fa67-4c0d-97c6-86c111a44527": [ "40e88697-a2ec-431f-80a2-4df5888cacd4" ], "be3336d6-f93f-439a-8ecb-687997b095d0": [ "b5b4509b-00d0-464c-8651-d215a928e829" ], "4a5ab043-df3c-4e7d-80c1-32e5e4ffa43c": [ "131bf5d8-bb5e-4444-939a-3aa1c9cd12e0" ], "c2e26a60-257f-4640-950b-26fe001d97a4": [ "91363a77-fa59-4e6f-8386-95ec30d3ebdf" ], "3158e5d3-8eac-450f-9402-36675894ff0c": [ "e16ca686-7f6a-4925-9c04-b7acc607d71b" ], "bea2908f-a44e-4482-ae67-a1b391bb7909": [ "7659cf47-e4ae-4d60-a061-1782a7470cd0" ], "c0628f09-6653-4beb-a844-34b603728463": [ "b0e05a19-e069-4124-99fd-d96aab61d806" ], "fd190e09-32fa-48d5-a0fa-98d2d4dab115": [ "a8510b47-284c-412a-803a-af2e8b554f2e" ] }, "positions": { "c2e26a60-257f-4640-950b-26fe001d97a4": { "col": 1, "row": 1, "height": 2, "width": "Infinity" }, "3158e5d3-8eac-450f-9402-36675894ff0c": { "col": 1, "row": 15, "height": 3, "width": "Infinity" }, "be3336d6-f93f-439a-8ecb-687997b095d0": { "col": 1, "row": 7, "height": 4, "width": 4 }, "fd190e09-32fa-48d5-a0fa-98d2d4dab115": { "col": 5, "row": 7, "height": 4, "width": 4 }, "bea2908f-a44e-4482-ae67-a1b391bb7909": { "col": 9, "row": 7, "height": 4, "width": 4 }, "4a5ab043-df3c-4e7d-80c1-32e5e4ffa43c": { "col": 1, "row": 11, "height": 4, "width": 4 }, "83ae141f-fa67-4c0d-97c6-86c111a44527": { "col": 5, "row": 11, "height": 4, "width": 4 }, "c0628f09-6653-4beb-a844-34b603728463": { "col": 1, "row": 3, "height": 4, "width": "Infinity" } }, "formatting": { "highlighting": [] }, "display_mode_settings": { "positions": { } } } }, "properties": [], "owner": "admin", "title": { "@type": "string", "@value": "Windows Authentication Failures Overview" }, "type": "DASHBOARD", "description": { "@type": "string", "@value": "A monitoring dashboard that displays trends in the number of authentication failures, top users, top source IP addresses, top hosts, a breakdown by type, and a list of recent events for Event IDs 4625, 4771, and 4776." } }, "constraints": [ { "type": "server-version", "version": "\u003E=7.0.5+1a1d8ce" } ] }, { "id": "45daeba0-1e9e-4e4f-a0fe-b932b71816bf", "type": { "name": "event_definition", "version": "1" }, "v": "1", "data": { "field_spec": { }, "config": { "query_parameters": [], "search_within_ms": 600000, "query": { "@type": "string", "@value": "" }, "cron_expression": null, "cron_timezone": null, "use_cron_scheduling": false, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "execute_every_ms": 60000, "event_limit": 100, "group_by": [ "IpAddress" ], "series": [ { "type": "count", "id": "count-", "field": null } ], "conditions": { "expression": { "expr": "\u003E=", "left": { "expr": "number-ref", "ref": "count-" }, "right": { "expr": "number", "value": 5 } } }, "type": "aggregation-v1", "stream_categories": [], "filters": [] }, "priority": { "@type": "integer", "@value": 3 }, "notifications": [ { "notification_id": { "@type": "string", "@value": "86422afb-39a9-44c4-835c-ccf75c1360f8" }, "notification_parameters": null } ], "remediation_steps": null, "matched_at": "2026-04-02T07:53:54.409Z", "event_procedure": null, "_scope": { "@type": "string", "@value": "DEFAULT" }, "notification_settings": { "grace_period_ms": 300000, "backlog_size": 5 }, "updated_at": "2026-03-23T02:41:49.950Z", "title": { "@type": "string", "@value": "Windows Auth Failures - Repeated Failures From Same IP" }, "is_scheduled": { "@type": "boolean", "@value": true }, "key_spec": [], "storage": [ { "type": "persist-to-streams-v1", "streams": [ "000000000000000000000002" ] } ], "alert": { "@type": "boolean", "@value": true }, "description": { "@type": "string", "@value": "Detect consecutive authentication failures from the same IP address" } }, "constraints": [ { "type": "server-version", "version": "\u003E=7.0.5+1a1d8ce" } ] }, { "id": "8f052f7a-76f3-41eb-906a-700bff724cbb", "type": { "name": "event_definition", "version": "1" }, "v": "1", "data": { "field_spec": { }, "config": { "query_parameters": [], "search_within_ms": 300000, "query": { "@value": "privileged_account_query", "@type": "parameter" }, "cron_expression": null, "cron_timezone": null, "use_cron_scheduling": false, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "execute_every_ms": 60000, "event_limit": 100, "group_by": [], "series": [ { "type": "count", "id": "count-", "field": null } ], "conditions": { "expression": { "expr": "\u003E=", "left": { "expr": "number-ref", "ref": "count-" }, "right": { "expr": "number", "value": 1 } } }, "type": "aggregation-v1", "stream_categories": [], "filters": [] }, "priority": { "@type": "integer", "@value": 3 }, "notifications": [ { "notification_id": { "@type": "string", "@value": "86422afb-39a9-44c4-835c-ccf75c1360f8" }, "notification_parameters": null } ], "remediation_steps": null, "matched_at": "2026-03-23T05:12:20.799Z", "event_procedure": null, "_scope": { "@type": "string", "@value": "DEFAULT" }, "notification_settings": { "grace_period_ms": 300000, "backlog_size": 5 }, "updated_at": "2026-03-23T02:41:31.361Z", "title": { "@type": "string", "@value": "Windows Auth Failures - Privileged Account Failure" }, "is_scheduled": { "@type": "boolean", "@value": true }, "key_spec": [], "storage": [ { "type": "persist-to-streams-v1", "streams": [ "000000000000000000000002" ] } ], "alert": { "@type": "boolean", "@value": true }, "description": { "@type": "string", "@value": "Detect failed authentication attempts on the administrator account" } }, "constraints": [ { "type": "server-version", "version": "\u003E=7.0.5+1a1d8ce" } ] }, { "id": "a104d65d-4e36-4d68-956a-ed8840e263fb", "type": { "name": "event_definition", "version": "1" }, "v": "1", "data": { "field_spec": { }, "config": { "query_parameters": [], "search_within_ms": 300000, "query": { "@type": "string", "@value": "" }, "cron_expression": null, "cron_timezone": null, "use_cron_scheduling": false, "streams": [ "29a61614-46bc-4cbd-a118-5d363b5971b4" ], "execute_every_ms": 60000, "event_limit": 100, "group_by": [], "series": [ { "type": "count", "id": "count-", "field": null } ], "conditions": { "expression": { "expr": "\u003E=", "left": { "expr": "number-ref", "ref": "count-" }, "right": { "expr": "number", "value": 10 } } }, "type": "aggregation-v1", "stream_categories": [], "filters": [] }, "priority": { "@type": "integer", "@value": 3 }, "notifications": [ { "notification_id": { "@type": "string", "@value": "86422afb-39a9-44c4-835c-ccf75c1360f8" }, "notification_parameters": null } ], "remediation_steps": null, "matched_at": "2026-03-23T05:14:49.966Z", "event_procedure": null, "_scope": { "@type": "string", "@value": "DEFAULT" }, "notification_settings": { "grace_period_ms": 300000, "backlog_size": 5 }, "updated_at": "2026-03-23T02:41:59.744Z", "title": { "@type": "string", "@value": "Windows Auth Failures - Volume Threshold" }, "is_scheduled": { "@type": "boolean", "@value": true }, "key_spec": [], "storage": [ { "type": "persist-to-streams-v1", "streams": [ "000000000000000000000002" ] } ], "alert": { "@type": "boolean", "@value": true }, "description": { "@type": "string", "@value": "Detects more than 10 authentication failures in 5 minutes" } }, "constraints": [ { "type": "server-version", "version": "\u003E=7.0.5+1a1d8ce" } ] }, { "id": "06def196-c5f7-4718-88fa-58940718740e", "type": { "name": "input", "version": "1" }, "v": "1", "data": { "title": { "@type": "string", "@value": "Windows_client" }, "configuration": { "recv_buffer_size": { "@type": "integer", "@value": 262144 }, "port": { "@type": "integer", "@value": 10514 }, "number_worker_threads": { "@type": "integer", "@value": 2 }, "charset_name": { "@type": "string", "@value": "UTF-8" }, "bind_address": { "@type": "string", "@value": "0.0.0.0" }, "decompress_size_limit": { "@type": "integer", "@value": 8388608 } }, "static_fields": { }, "type": { "@type": "string", "@value": "org.graylog2.inputs.gelf.udp.GELFUDPInput" }, "global": { "@type": "boolean", "@value": true }, "extractors": [] }, "constraints": [ { "type": "server-version", "version": "\u003E=7.0.5+1a1d8ce" } ] }, { "id": "86422afb-39a9-44c4-835c-ccf75c1360f8", "type": { "name": "notification", "version": "1" }, "v": "1", "data": { "title": { "@type": "string", "@value": "Notify - Windows Auth Failure - Email" }, "description": { "@type": "string", "@value": "Email Notifications for Monitoring Windows Authentication Failures" }, "config": { "bcc_emails_lut_key": { "@type": "string", "@value": "" }, "sender_lut_key": { "@type": "string", "@value": "" }, "lookup_recipient_emails": { "@type": "boolean", "@value": false }, "cc_emails_lut_key": { "@type": "string", "@value": "" }, "html_body_template": { "@type": "string", "@value": "\u003Chtml\u003E\n \u003Cbody style=\"font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: #333333; line-height: 1.6;\"\u003E\n \u003Ch2 style=\"margin-bottom: 12px; color: #222222;\"\u003EGraylog Alert\u003C/h2\u003E\n\n \u003Ctable style=\"border-collapse: collapse; width: 100%; max-width: 800px; margin-bottom: 20px;\"\u003E\n \u003Ctr\u003E\n \u003Ctd colspan=\"2\" style=\"background-color: #f2f2f2; padding: 8px; font-weight: bold; border: 1px solid #dddddd;\"\u003E\n Overview\n \u003C/td\u003E\n \u003C/tr\u003E\n \u003Ctr\u003E\n \u003Ctd style=\"width: 160px; padding: 8px; border: 1px solid #dddddd; font-weight: bold;\"\u003ERule\u003C/td\u003E\n \u003Ctd style=\"padding: 8px; border: 1px solid #dddddd;\"\u003E${event_definition_title}\u003C/td\u003E\n \u003C/tr\u003E\n \u003Ctr\u003E\n \u003Ctd style=\"padding: 8px; border: 1px solid #dddddd; font-weight: bold;\"\u003EDescription\u003C/td\u003E\n \u003Ctd style=\"padding: 8px; border: 1px solid #dddddd;\"\u003E${event_definition_description}\u003C/td\u003E\n \u003C/tr\u003E\n \u003Ctr\u003E\n \u003Ctd style=\"padding: 8px; border: 1px solid #dddddd; font-weight: bold;\"\u003ETimestamp\u003C/td\u003E\n \u003Ctd style=\"padding: 8px; border: 1px solid #dddddd;\"\u003E${event.timestamp}\u003C/td\u003E\n \u003C/tr\u003E\n \u003Ctr\u003E\n \u003Ctd style=\"padding: 8px; border: 1px solid #dddddd; font-weight: bold;\"\u003EPriority\u003C/td\u003E\n \u003Ctd style=\"padding: 8px; border: 1px solid #dddddd;\"\u003E${event.priority}\u003C/td\u003E\n \u003C/tr\u003E\n \u003C/table\u003E\n\n \u003Cdiv style=\"margin-bottom: 20px;\"\u003E\n \u003Cdiv style=\"background-color: #f2f2f2; padding: 8px; font-weight: bold; border: 1px solid #dddddd; border-bottom: none;\"\u003E\n Summary\n \u003C/div\u003E\n \u003Cdiv style=\"padding: 12px; border: 1px solid #dddddd;\"\u003E\n ${event.message}\n \u003C/div\u003E\n \u003C/div\u003E\n\n ${if backlog}\n \u003Cdiv style=\"margin-bottom: 20px;\"\u003E\n \u003Cdiv style=\"background-color: #f2f2f2; padding: 8px; font-weight: bold; border: 1px solid #dddddd; border-bottom: none;\"\u003E\n Backlog\n \u003C/div\u003E\n \u003Cdiv style=\"padding: 12px; border: 1px solid #dddddd;\"\u003E\n \u003Cul style=\"margin: 0; padding-left: 20px;\"\u003E\n ${foreach backlog message}\n \u003Cli style=\"margin-bottom: 6px;\"\u003E${message}\u003C/li\u003E\n ${end}\n \u003C/ul\u003E\n \u003C/div\u003E\n \u003C/div\u003E\n ${end}\n \u003C/body\u003E\n\u003C/html\u003E" }, "recipients_lut_name": { "@type": "string", "@value": "" }, "single_email": { "@type": "boolean", "@value": false }, "replyTo": { "@type": "string", "@value": "" }, "recipients_lut_key": { "@type": "string", "@value": "" }, "cc_emails_lut_name": { "@type": "string", "@value": "" }, "sender_lut_name": { "@type": "string", "@value": "" }, "cc_users": [], "bcc_emails_lut_name": { "@type": "string", "@value": "" }, "bcc_users": [], "subject": { "@type": "string", "@value": "Graylog Alert: ${event_definition_title}" }, "reply_to_lut_name": { "@type": "string", "@value": "" }, "user_recipients": [], "lookup_cc_emails": { "@type": "boolean", "@value": false }, "lookup_reply_to_email": { "@type": "boolean", "@value": false }, "bcc_emails": [], "sender": { "@type": "string", "@value": "" }, "cc_emails": [], "body_template": { "@type": "string", "@value": "[Graylog Alert]\n\n[Overview]\n- Rule: ${event_definition_title}\n- Description: ${event_definition_description}\n- Timestamp: ${event.timestamp}\n- Priority: ${event.priority}\n\n[Summary]\n${event.message}\n\n${if backlog}\n[Backlog]\n${foreach backlog message}\n- ${message}\n${end}\n${end}" }, "lookup_sender_email": { "@type": "boolean", "@value": false }, "lookup_bcc_emails": { "@type": "boolean", "@value": false }, "type": "email-notification-v1", "include_event_procedures": { "@type": "boolean", "@value": false }, "reply_to_lut_key": { "@type": "string", "@value": "" }, "email_recipients": [ "admin@example.com" ], "time_zone": { "@type": "string", "@value": "Asia/Tokyo" } } }, "constraints": [ { "type": "server-version", "version": "\u003E=7.0.5+1a1d8ce" } ] }, { "id": "29a61614-46bc-4cbd-a118-5d363b5971b4", "type": { "name": "stream", "version": "1" }, "v": "1", "data": { "alarm_callbacks": [], "outputs": [], "remove_matches": { "@type": "boolean", "@value": false }, "title": { "@type": "string", "@value": "Windows - Authentication Failures" }, "stream_rules": [ { "type": { "@type": "string", "@value": "EXACT" }, "field": { "@type": "string", "@value": "EventID" }, "value": { "@type": "string", "@value": "4625" }, "inverted": { "@type": "boolean", "@value": false }, "description": { "@type": "string", "@value": "" } }, { "type": { "@type": "string", "@value": "EXACT" }, "field": { "@type": "string", "@value": "EventID" }, "value": { "@type": "string", "@value": "4771" }, "inverted": { "@type": "boolean", "@value": false }, "description": { "@type": "string", "@value": "" } }, { "type": { "@type": "string", "@value": "EXACT" }, "field": { "@type": "string", "@value": "EventID" }, "value": { "@type": "string", "@value": "4776" }, "inverted": { "@type": "boolean", "@value": false }, "description": { "@type": "string", "@value": "" } } ], "alert_conditions": [], "matching_type": { "@type": "string", "@value": "OR" }, "disabled": { "@type": "boolean", "@value": false }, "description": { "@type": "string", "@value": "Event Log on Windows Client" }, "default_stream": { "@type": "boolean", "@value": false } }, "constraints": [ { "type": "server-version", "version": "\u003E=7.0.5+1a1d8ce" } ] } ] }