Showing results for 
Search instead for 
Did you mean: 

Help with basic Correlation Rule/Alarm

I recently brought our new SIEM online (consists of an ESM, ACE, and two ERCs at the latest version of 9.2).  I have had it running for a few months now with a good handful of data sources.  I am ready to start building some correlation rules, but I need some help (my wife and I just had twins right after I got this set up, so I have been very sleep deprived and stupid which is why I can't figure this out easily).  There are two rules I would like to start out building so I can get a feel for how it works.  The first should be very simple.  Any Active Directory *activity* (logon, logoff, modifcations to users or groups, etc.) performed by the Domain Administrator account.  The second rule is very similar, but a little more complicated.  Any Active Directory modifiations (creation/deletion/modification of users or groups, other similar activity) performed by any Source User, except not including a group of users listed in a Watchlist (the people in our org we expect should be doing this work).  I have all of our Domain Controllers sending event log information and have them Grouped together under a single event receiver.  I can drill around and see events of users being created etc.  I just don't know how to create a rule (followed by an alarm) for when a specific user causes one of these types of events to occur.  Thanks!!