I've been building some correlation rules from copies of the default rules in 3.7, then tweaking them to fit our environment.
Has anyone had any experiences doing this? Good/Bad/Ugly ?
This is actually an excellent way to learn to build correlated alerts, and is the method I used when first learning about them.
Coyping an included default correlated rule and then creating a view for that copy lets you confirm that you are able to receive alerts for the base condition. You can then break down your modification process into small, testable steps, making incremental changes and testing until you've perfected your correlated alert.
I've done the same for the Windows Authentication correlation events.
Quite a few of the defaults were too chatty in my environment.
The ability to copy the correlation rules is quite useful.
Retrieving data ...