I would like to build a Windows based Alert and Report which shows password changes by someone other than the account owner. The Event ID in-scope is:
Windows logs record the account performing the password change as the Subject Account Name which Nitro parses to the Source User field, and records the account receiving the password change as the Target Account Name which Nitro parses to the Destination User field.
The Alert and Report must have the following filtering criteria:
SignatureID = 43-263047230
Source User != Destination User
How do I accomplish the filtering criteria: Source User != Destination User
That can be achieved with correlation rule.
Within the filter for Source User there is option "not In" which can do the job for you try and let me know i'll be glad to help you.
Im in the same boat here... I dont see any way to use another field as a value. The match component only lets you set a variable, string value, watch list, etc..