I'd want to correlate events, say a user login success, changing an admin group and then changing a password?
how can this be done?
You could create a rule that checks all three and alerts on it I think pretty easily. Once the data is normalized it's fairly easy to setup a condition that's checked and either filter or alert on it. So you basically would filter on login success AND group change AND password change together. Just make sure to select the AND and not OR to match on all three together. You can even add checking that it's a specific group or OU if that's how you single out your users that are admins. It's taking me a little while to get used to the filtering in LEM but once you do a few it starts to get easier. One way that helps me is to capture the actual events I'm looking for in the monitoring tab so I can use the actual even to help build the filter for it. Some of the success center links and the training videos help get starts... or at least they did for me.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.