Not entirely working yet.
I am getting this to trigger, but it only seems to fire once a day. I want this to fire on EVERY ID that meets the criteria (say lockout signature) within a 24 hour time period. Not just 1 ID. I have a group by set up.
Here are some results from a test I configured today:
It can take a few minutes since there is an interval for collecting the log, processing the log at the Receiver, collecting it from the Receiver, sending the events to the correlation engine and then collecting the events back plus the amount of time to duff the password and unlock the account.
Here is how my correlation rule is configured.
This won't affect what you are trying, but when you create an alarm based on a correlation event, you only need to select the ACE or the correlatioon data source. Othewise, it wastes lots of processing power and is inefficient.
I would create a correlation rule based on the Normalization Rule Account Lockouts, with no parameters. Make sure that fires. Then g into the correlation rule, Go to the top (parameters) and add TimeWindow and Number of occurances.
Then you can create an alarm based on that correlation rule