I want to ask you about correlation rule that you can see the ss at the below.
I've written the rule Signature ID IN (43-*** -an account has logged on)
Time of day is NOT IN between 7 to 19
Day of week is IN Monday to Friday (work days)
Is this rule true or should i divide the filters and use AND logic that signature id is filter 1, time of day is filter 2, day of week is filter3 ?
Second question should i group by destination user?
The correlation rule is correct. Don't split components in AND or OR gates because they are used for correlating multiple events. In your case you just need to correlate on the information inside Sig ID 43-***.
In my case I would group by Source User because Destination User is empty.
Here is a document which can help you in the future: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25633/en_US/...