I'm trying to create a correlation rule that will notify my team if a new Windows AD account is created and is used to create new accounts or any privilege escalations such as adding itself or other accounts to the domain admin group. At the moment we're just getting normal event logs and no correlations even though I believe I followed AL's provided instructions pretty well.
I have attached a screenshot of the current rule here. Any help or feedback would be greatly appreciated.
Please sign in to leave a comment.