i want to create an alert when a admin user create a new user in AD and send to this admin an email by take his user from the source user field and append to the source user "@domain".
i want to do this to make sure that he did this action and not someone else who stole his identity.
Is there any easy way to do this?
So you want to send this email dynamically based on the user... not sure this is possible directly inside the SIEM platform.
As an alternative solution, could you make a distribution group, send all user creations to that distribution, then have the administrators filter out events that are not triggered by their username? Also gives other administrators visibility into who made user accounts.
the best solution for that, is to create a nice report for all of the Events you want.
and send them every day / week to the System Manager to check if he sees changes that were made without permission.
you could even configure the ESM to perform and send this report each time a specific event triggers.
but for you original request - McAfee ESM doesn't have that embedded in the System, but you could choose in the alarm wizard the "execute remote command" option and insert in the script box in the bottom to add to the user name of the event the company's domain and then send it to the email server,
but for that you will need a good Script writer.
interesting to here what you did in the end... because i was thinking of this issue a long time ...