CRL to show multiple logins from 1 username to multiple machines
My recommendation is that you add another item to your event selection. Under the 'Event Type' column for this additional line, select 'Variable' and in the 'Value' column, select the variable you are using for multi-threading.
Effectively you are selecting the events by whether they have a specific variable in use and whatever other criteria you have selected.
Hi I think ive followed your suggestions correctly. Can you please take a look at the HTML screen shot or the xml attachment and let me know if you think this is correct.
My appologies i can only add one attachment. If you would like the XML please let me know.
As a rule of thumb, if you go back to the initial screen you see when editing the rule, the rule's multi-threading settings will be checked everytime you visit that page. If the rule is not valid, the text within the multi-threading area will be red (instead of black).
Looking at your HTML output I can't quite tell because in the page the multi-threading setting is using the variable's "label" and within the event selection it appears to use the actual variable. If you could post the XML, it would be a lot easier to validate. However if you follow the above steps to check the multi-threading validity and you don't see an error then you can safely assume the rule is correct.
Sorry, I misunderstood the original request (I thought you only wanted validation of the multi-threading). I took a further look at the rule that you posted and there some additional things you probably want to add in here.
The first is you aren't truly considering that a user has logged into multiple machines. You probably want to associate a cache variable with the server IP address in the "FirstLogin" circuit so that you can compare it to the server IP address in the "SecondLogin" circuit.
The other issue is your decay time. Since you require that all events must fire within 1 minute, it's possible that you might not actually collect the events within that time period for that event to fire. I would suggest that you expand that out to 5 or 10 minutes so at least you can validate the rule functionality. Assuming you are using the agentless windows event retrieval, you could configure the collection service to poll more frequently but that potentially has implications for your performance.
Thanks once again Daniel appreciate your help. Ive added a variable (one of our Domain Controllers) set a default value of its IP address, and set the decay time to 10min. Does this look better (xml attached)
Sorry had to remove the XML and alter it to remove the name and ip used.