8 Replies Latest reply on Aug 16, 2016 9:22 PM by minsktractorworks

    Linking Source and Destination Users

    minsktractorworks

      Hey guys,

       

      Just wondering if anyone has run into the trying to link source and destination users within correlation rules. We have the following issue

       

      1. User's password is reset in AD. This generates an event with the interesting user in the destination user field.

      2. That user then attempts a VPN login. This generates an event with the interesting user in the source user field.

       

      Has anyone found a way to correlate these events based on the source/destination user? We are trying to resolve without needing to parse the source user into the destination field for the VPN event.