What is the best way to create a correlation rule
I'm trying to create a correlation rule that will notify my team if a new Windows AD account is created and is used to create new accounts or any privilege escalations such as adding itself or other accounts to the domain admin group. At the moment we're just getting normal event logs and no correlations even though I believe I followed AL's provided instructions pretty well.
I have attached a screenshot of the current rule here. Any help or feedback would be greatly appreciated.
Nathan - Thanks for reaching out and for providing a picture; it will be very helpful! While I get you a good answer, here are some pieces of documentation for you to peruse (if you haven't already) that may help:
I'll be back to you here as soon as possible with specific details on your use case.
Hi Abby Kincer did you have a solution to this, it's something we would be interested in too but unable to get the correct inputs.0
dominic hibbert, thank you for reaching out! This specific use case has yet to be resolved, so I'll loop you in with our Support team now to get some answers.0
Please sign in to leave a comment.