I created policies for monitoring Windows Events.
I created a high threshold of 2111111111 events in 30 minutes and it fires up constantly.
The thing is: in investigate i searched for events in a minute and i get 20000. 20000x30 minutes gives me 630000.
So the question is how does te monitoring policies work to fire up the alarm for 2111111111??
From experience I've seen than this is not working properly if the value in your threshold is either too high or too low.
For example if you specified 5 or 500000000 it might not work as if you did with 100 or 500000.
Try to use as realistic values as possible for your environment and do a lot of testing before you can rely on this.