I created an ALARM, to monitor all windows Groups ( Domain and Local ). This Alarm generates a Report. There is no filtering on which groups have been changed. What is odd about this, is this has two querys - one for Domain groups that were changed and the other for Local Groups that were changed.
Field Match : Normalized ID 407912448
[x] Log Event
[x] Generate Report
Comment : Normalized ID : 407912448 A change was made to a Domain Group [Source User] made the change [Rule Message] added/deleted [Destination User] to/from [Domain]|[Host] / [Object]"
Filters : Normalized ID , State [All]
Comment : "Normalized ID : 407912448 A change was made to a Local Group [Source User] made the change [Rule Message] added/deleted to/from [Host] / [Object]"
Filters : Normalized ID , NOT Signature ID [43-211006330,43-211006410,43-211006390,43-211006370,43-211006320,43-211006310] , State [All]
Hope this helps. I've never created a Correlation Rule. I look forward to learning how to do this in a Correlation rule.
I am not sure if you resolved this yet yourself. The first time I tried creating a correalation rule I ran into the same problem, but I don't know if this is the same fix for you. When going into Policy Editor, I choose Correalation on the left. I created the rule, the alarm, enabled it, the did a rollout. The part I missed was that I needed to actually go to the top left where it says Default Policy, click the little right pointing triangle for the drop down menu, click on Correalation in there. At that point I realize that while I enabled the rule under default policy, it wasn't enabled under Correalation. Once I enabled it there, it started working for me. I was told by McAfee support that I should also disable the rule at the Default Policy level and only have it enabled at the Correalation level, not really sure what the reasoning is for that but I followed their suggestion on that as well.
I finally got it to work after engaging Support, there were a bunch of processes locked up. Once the tech stopped the services and killed all the processes it worked. Now I have to figure out how to get the information from the rule to show up right in the alarm email. There is a tab in the triggered rule thats called Source Events that I cant get to show up in the alarm email.