TWTQ: Applying rule to select users

TWTQ: Applying rule to select users

Hey everyone!
Here's This Week's Top Query (TWTQ):

Q: I want to apply my correlation rule to a specific set of users. How do I do this?

 

A: When you wish to apply a correlation rule to a specific set of entities (users, devices, etc.), you can make use of the field-based filters within the rule.

If this is for a rule you're building from scratch, go to:

Correlation -> Manage rules -> +Create rule


If this is for an existing rule, go to:

Correlation -> Manage rules -> Selecting the Update icon next to the required rule

A correlation rule is made up of a sequence of events, or actions. Let's say you want the rule to apply to a few specific users:
  • Click on 'Advanced' for the first action in the rule.
  • Select the filter icon next to the 'Username' field.
  • Under the 'Filter' tab, click on '+Add new criteria'
  • Select 'equals' in the dropdown and type in one of the usernames.
  • Keep clicking on '+Add new criteria' and repeating the previous step until you've covered all the required users.
  • Click on Save.


When you provide multiple 'equals' conditions, you're basically giving EventLog Analyzer a list of values to check for. You can apply the same steps to any of the other fields, like device name, process name, etc.



        New to M365 Manager Plus?
        New to M365 Manager Plus?
          New to RecoveryManager Plus?
          New to RecoveryManager Plus?
            New to Exchange Reporter Plus?
            New to Exchange Reporter Plus?
              New to SharePoint Manager Plus?
              New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                        Related Products