3 Replies Latest reply on Jun 15, 2017 10:54 AM by mike.parsons@techgardens.com

    Advanced Correlation and Email Alerts

    rdi.mjenkins

      I have recently added all file and print servers into LEM and enabled file auditing for all servers. I added a rule that will send an email to the support group if a single user creates, updates, modifies, or deletes more than 10 files within a 10 second window. This was done by creating a new event group with the relevant actions and then using advanced correlations to match on detection IP and source account. This will not be the final rule criteria, but is a start.

       

      This rule is triggered quite often, however the email provides useless information as it only details from a single event in the correlation. I need the email to have the full list of files modified. This would be a single line in each event. What function am I missing to make this happen?