locked
Creating correlated event monitor RRS feed

  • Question

  • Hi all,

    I'm trying to create an correlated event monitor, but I'm a bit confused with all the options. I tried to find my answer here, but all the cases I found are a bit different.

    The case is as following:

    We want to monitor if AD account are being enabled (Event 4722). This would be pretty simple, but this event also raises right after when a new account is created (Event 4720).

    So I want to make a correlated event monitor, that monitors if Event 4722 occurs, and when it does, look back if Event 4720 also occured BEFORE this event did. If it does, then I don't want an alert. If 4720 doesn't exist, then I DO want an alert.

    Slinkos


    • Edited by Slinkos Tuesday, February 11, 2020 12:48 PM
    Tuesday, February 11, 2020 12:48 PM

Answers

All replies