Ive created a correlation rule to firstly capture a 626 event (account enabled) and then a 528 (suc login) For some reason i cant add a filter the only option is CONTENT. Any ideas? The variables are available in the manager variables section. And im sure that "Username" is part of both events.
and if your operator is "And" in the same statement, be careful how you chose your "event type"
for example if you are selesgin two rows and both with "Event ID" and operator "AND", you will see only contentin filter (as this corr rull does not makes sesne, fire when both happens) where as if you chose "OR" you will see all the variables in filter....
similarly lest say in the first row you chose event ID and second row you chose variable, make sure to select the variable that exists in the event ID otherwise again you will see only CONTENT in the filter. hope this makes sense?