Here's This Week's Top Query (TWTQ):
Q: I want to apply my correlation rule to a specific set of users. How do I do this?
If this is for a rule you're building from scratch, go to:
Correlation -> Manage rules -> +Create rule
If this is for an existing rule, go to:
Correlation -> Manage rules -> Selecting the Update icon next to the required rule
A correlation rule is made up of a sequence of events, or actions. Let's say you want the rule to apply to a few specific users:
- Click on 'Advanced' for the first action in the rule.
- Select the filter icon next to the 'Username' field.
- Under the 'Filter' tab, click on '+Add new criteria'
- Select 'equals' in the dropdown and type in one of the usernames.
- Keep clicking on '+Add new criteria' and repeating the previous step until you've covered all the required users.
- Click on Save.
When you provide multiple 'equals' conditions, you're basically giving EventLog Analyzer a list of values to check for. You can apply the same steps to any of the other fields, like device name, process name, etc.