I have an event for every successful AD login.
Each event is set to fire when there is a successful AD logon keyed off UserID
I was trying to test throw a Correlation alert from these events, to test how the correlation engine works my first attempt was (this is where I stopped since it doesn’t seem to work as I had hoped/thought):
for last 1 min
run every 1 min
if AD Success Logon
Send Email Notification
It appears to be the Alert fires:
- Only after three AD Success Logon events (as expected)
- For any three AD Success Logon events - NOT BY KEY: UserID (Not as expected)
- No matter the backlog log set for the notification only one shows in the email. (though this may not be an issue since during testing each Alert was truly for one Key: UserID)
- An Alert for each unique UserID (as expected)
What I would have expected to happen was:
- After three events of the same type (AD Success Logon) with the same Key: UserID, I would get an Alert.
- The Backlog data would only contain the Key: UserID events that happened within the above criteria i.e. last 1 min 3 AD Success Logons for Key UserID 3 or more.
I guess my questions are A. am I off on how this should work? B. if this is the intended operation can it be changed/updated to say correlate to the Key(s)?
I believe it would be a much more useful tool if it would operate as I had expected it too. Currently the Correlation event described above would fire every time there were three AD Success Logon events even if there was not three with the same Key: UserID, without it matching on both event type and Key you get alerts when there aren’t truely the correct criteria matching i.e. the event happened by the same Key: UserID.