I was able to complete this in the Rule Builder section of the UI. I have posted screen shots below for comparison. Please note this was built in 11.3.1.
Access your rule library (Configure > ESA Rules > Rule Library) and add a new rule ('+' icon, click on Rule Builder).
Give your rule a pertinent name
Keep Trial Rule selected - RSA best practice
In your Conditions, create two statements:
Statement 1: I set the name as Event ID 4741 (use whatever you want), select if all conditions are met and enter the following for your meta conditions: reference_id is 4741, add a second meta condition and enter ec_outcome is Success, click Save
Statement 2: I set the name as Event ID 5139 (again, use whatever you want), select if all conditions are met and enter the following for your meta condition: reference_id is 5139, click Save. I did not add an ec_outcome (event outcome) to the second statement as the alert would then only fire when there was a successful computer account created followed by a successful object move. You may want to consider this based on your environment.
Once you are back in the main Rule Builder screen, on the first statement, there is a heading labeled Connector. Click in the box and select followed by
New options will appear below your Conditions. You'll have a Group By and Occurs Within. For purposes of building this, I grouped by the first meta condition of reference_id and then set a time window of 5 minutes, however, this value is subject to what makes sense for your environment. In the Event Sequence, I set the value to Strict.
Once this is complete, click on Show Syntax - this will let you know if there are any errors in the rule being built.
This is the syntax for the rule that I just created:
This basic template is a placeholder for defining basic EPL content that can be
installed and executed in ESA. The sample below is the minimum that would be
required to get started.
Module debug section. If this is empty then debugging is off.
/* EPL section. If there is no text here it means there were no statements. */
SELECT * FROM Event(
/* Statement: Event ID 4741 */
(reference_id IN ( '4741' ) AND ec_outcome IN ( 'Success' ))
/* Statement: Event ID 5139 */
(reference_id IN ( '5139' ))
PARTITION BY reference_id
MEASURES E1 as e1_data , E2 as e2_data
PATTERN (E1 E2)
E1 as (E1.reference_id IN ( '4741' ) AND E1.ec_outcome IN ( 'Success' )),
E2 as (E2.reference_id IN ( '5139' ))
Lastly, you can configure notifications for the alert outside of any incident rules which may already cover Windows Event alerts. You have four notification options - Email, SNMP, Syslog and a Script. You would need to have these already configured under Admin > System > Global Notifications.
Once you are done, click Save and you're ready to deploy the rule to your ESA! This will give you a place to start and can follow up with any tuning as the alerts start firing.
Let us know if you have any questions!
Sales Engineer - NetWitness