I recently brought our new SIEM online (consists of an ESM, ACE, and two ERCs at the latest version of 9.2). I have had it running for a few months now with a good handful of data sources. I am ready to start building some correlation rules, but I need some help (my wife and I just had twins right after I got this set up, so I have been very sleep deprived and stupid which is why I can't figure this out easily). There are two rules I would like to start out building so I can get a feel for how it works. The first should be very simple. Any Active Directory *activity* (logon, logoff, modifcations to users or groups, etc.) performed by the Domain Administrator account. The second rule is very similar, but a little more complicated. Any Active Directory modifiations (creation/deletion/modification of users or groups, other similar activity) performed by any Source User, except not including a group of users listed in a Watchlist (the people in our org we expect should be doing this work). I have all of our Domain Controllers sending event log information and have them Grouped together under a single event receiver. I can drill around and see events of users being created etc. I just don't know how to create a rule (followed by an alarm) for when a specific user causes one of these types of events to occur. Thanks!!