cancel
Showing results for 
Search instead for 
Did you mean: 
cyberteamgd
Level 7

Can I alert every single time an event of a certain type rolls in?

Hi all,

I was hoping someone might be able to help me figure out if this is possible via ESM. I am sure others have probably asked this, but I was unable to find anything answering my question after a lot of searching through google and this forum.


I want to email myself every single time someone adds a user to a security group.

Currently I have an alarm set up with the following Condition:
Internal Event Match: Signature ID: 43-263047280

Maximum Condition Trigger Frequency: 1 Minute

This alarm kind of does what I want, it emails out when users are added to security groups, and I set up a nice email template to tell the recipient who added who and at what time.

The problem arises when you add more than one user to a security group back-to-back in quick succession. You end up only getting emailed about one of these events. I am assuming this is because the Maximum Condition Trigger Frequency is limiting me to only one email per minute, and logs arrive in groups at five minute intervals from the domain controllers. So basically the alarm sees five minutes worth of domain controller logs flood in all at once, notices 20 users got added to various security groups, and then sends one email about one of these events, but I want a separate email for each of these 20 events. I turned off aggregation for this type of event, but it still seems to send only one email if you add several users to groups all at once.

Here's my question: How do I set up an alarm which will send (any number) different emails if (any number) events happen within a one minute period? Is this even possible? Because right now it only sends one email, regardless of how many times the event happened since the last domain controller pull.

Thanks!

0 Kudos