2 Replies Latest reply on Jul 1, 2013 6:12 PM by nicole pauls

    Newb question - search -> rule?

    bkeeley

      Hi,

       

      I am trialling log management solutions at the moment.

       

      I've got an example search configured looking for windows events which relate to account enabled or disabled for those accounts with fire in the name.

       

      Is there a way to easily take this and create a rule from it?

       

      ( EventInfo = "User account disabled \"*fire*\"" ) OR ( EventInfo = "\"Account Enabled \\\"*fire*\\\"\"" )

       

      Thanks

        • Re: Newb question - search -> rule?
          martindl76

          Hello bkeeley,

           

          First I would tell you that UserEnable and UserDisable are distinct Events in Solarwinds. So you would create your rule with these events. Then when you narrow down your filter you must make sure that you use the DestinationAccount field to filter by user , of course unless you are more interested in who performed the changes (SourceAccount then). I am assuming that you are auditing a DC? When you use your regular expression you can just use *fire* and this will be sufficient. Another cool thing you could do is create a custom list of regular expression for particular users under Build -> Groups and use this to look for a number of different patterns.

           

          Hope this helps,

           

          "was blind and now I SIEM"

          • Re: Newb question - search -> rule?
            nicole pauls

            There's no automagic way to go search to rule (or filter to rule), only filter to search. I think it might be a suggestion in the feature request area, though.

             

            Easiest thing to do is side by side and recreate your filter/search in rules.