5 Replies Latest reply on Dec 2, 2016 10:12 AM by xded

    Filters matching Report


      Hi All,

      Looking to create a report where two filters can be equal / matching.  Is this possible by correlation or any other way?



        • 1. Re: Filters matching Report

          Do you mean


          Source Ip is:

          Hostname is:


          or what do you mean with two filters can be equal? Is there an example?

          • 2. Re: Filters matching Report

            Hi Xded,

            Sorry for not be more specific.


            Administrators are creating local admin equivalent user accounts and delete them after.   I need to build a report where a user logs on locally on tmftpbrs host as tmftpbrs\admin1 - alarm should go off.   I don't want to put any names in the variable group because name can be anything.  The report should based on host = domain login success.

            Thanks X for looking into it.

            • 3. Re: Filters matching Report

              Hi zakhter,


              you need a correlation for this.


              Correlate two Events in one. First Event is the Account creation and the secondary Event is the local logon on the Server/Client.

              After this you can setup a Report with a filter of the Signature ID from the correlatet Event.


              Sorry for the Cryptic explanation but i my enviroment we haven't any standard parser for all Windows Events. So we have other signature ID than in your enviroment.

              • 4. Re: Filters matching Report

                HI X,

                Created a correlation

                Local user logging onto local server where local server = server/client

                • 5. Re: Filters matching Report

                  I'm not sure if this works.


                  There must be two Events in your SIEM.

                  1. A User was added to a local Security Group (Signature ID = 43-xxxx48880 Carefull its a example)


                  2. A user has logged on (Signature ID = 43-xxxx46240)




                            Filters -> Signature ID (in) 43-xxxx48880


                            Filters -> Signature ID (in) 43-xxxx46240


                  This gives you another Signature ID the Signature ID from this Correlation Event and with this Event you can setup an Alarm or a Report after some days.