4625 on Windows 2025 not working.

[megyfexid]

Windows 2025 uses single quotes and not double quotes. I created this new config.xml entry to fix it.

<Task Name="BlockRDPBrutersBySecurity4625_WS2025" Active="true"> <Description>Server 2025 4625 events (LogonType 3). Bans sources with ≥5 fails in 2 min.</Description> <LockTime>3600</LockTime> <!-- temp ban, seconds --> <EventAge>120</EventAge> <!-- look-back window --> <TriggerCount>5</TriggerCount> <!-- fails before ban --> <PermaBanCount>3</PermaBanCount> <!-- promote to permanent --> <EventPath>Security</EventPath> <RegexBoosters> <Booster>4625</Booster> <Booster>LogonType'&gt;3</Booster> <Booster>IpAddress</Booster> </RegexBoosters> <!-- one-line regex (IPv4 or IPv6) --> <Regex>&lt;Data Name=.LogonType.&gt;3&lt;[\s\S]*?&lt;Data Name=.IpAddress.&gt;((?:\d{1,3}\.){3}\d{1,3}|(?:[A-Fa-f0-9]{1,4}:){2,7}[A-Fa-f0-9]{1,4})</Regex> <OnlyNew>False</OnlyNew> </Task>