Help with canned rue NIC026
i am trying to run the canned correlation rule NIC026 for workstation logins from same user. I need to have this rule run only against my domain controllers and also filter out some user accounts. I am new to correlation rules. I do not have an option to set a filter when this is loaded.
any help would be great
Under the circuit Windows events - Compare the cache, click on Statement 1 then click on "Set Filter" button. This will take you to a new page to add new filters by clicking on "Add Filter".
Now to filter on user accounts, you can use the variable User Name and to filter on domain names you can use the variable domain
thank you, i was able to set filter to include names not on a watchlist i created that contains service accounts.
Now the alert never fires. I have logged on with my ID to multiple machines, but the alert never triggers.