6 Replies Latest reply on Jan 30, 2015 11:24 AM by curtisi

    Help with Correlations

    aloader

      I'm brand new to LEM but am now in charge of getting it up and running for my company.  I have done pretty well getting things setup as far as the agents and connectors go but I'm having a little trouble with the correlation for rules.  I need to create a rule that will fire when a certain AD group makes any changes to the domain.  I.E.  GroupA makes any changes to the network, permissions or adds computers to the network or any other sort of 'change management' function, we want to know about it and we want the notification to come to our email.  I've set the rule up but I'm getting a ton of false positives.

       

      Under correlations, I've dragged the 'change management events' event group into the box.  I then drag my 'groupA' user-defined group into the correlation box as well.  I setup the actions box to email the IT shop.  However, my inbox becomes inundated with every change management even occurring.  How do I specify that I ONLY want the GroupA events?

       

      Thanks!

        • Re: Help with Correlations
          curtisi

          Can we have a screen shot of the rule?

           

          Also, which field of the Change Management Event Group did you have set to equal your GroupA?

          • Re: Help with Correlations
            nicole pauls

            To expand on what Curtis said, it sounds like we just need to glue your rule together. The DS group you could think of as the "right hand side" of a comparison, and doesn't do anything on its own.

             

            Looking at the rules, I think it might be hard to do this in one rule because of how the fields lay out, but I'd start with building a rule that uses Auditable Events (All) - the only sticky part is I don't think that'll include policy changes on devices, we might have to build another rule for that.

             

            I'd start with this (make sure to drag your admins group over to the placeholder on the right):

            AuditableRule.PNG