You can use threshold filters in a variety of scenarios, one of them being to notify you when a large amount of audit failures are written to the event log.
This is especially useful when used in combination with a database consolidation: Once unusually high activity is detected in the security log you can immediately investigate the events collected in the central database.
Let's assume that any given domain controller gets approximately 50 audit failures an hour, and you would like to be notified if more than 100 are logged in an hour.
To accomplish this, create an include filter that matches Audit Failure events (e.g. Log=Security;Severity=Audit Failures) and add the following threshold options to the filter. An explanation is giving below the screenshot.
Event Logging: Log when threshold is met
Checking this box will ensure that an Error event (according to the pull down selection right below it) is logged to the event log when 100 events have been written to the event log. The actual events are not forwarded to the notification.
Match events based on: Filter
Since we need to match all events, regardless of their detailed properties, the filter should increase its internal threshold counter with every event that matches the filter.
