I'm brand new to LEM but am now in charge of getting it up and running for my company. I have done pretty well getting things setup as far as the agents and connectors go but I'm having a little trouble with the correlation for rules. I need to create a rule that will fire when a certain AD group makes any changes to the domain. I.E. GroupA makes any changes to the network, permissions or adds computers to the network or any other sort of 'change management' function, we want to know about it and we want the notification to come to our email. I've set the rule up but I'm getting a ton of false positives.
Under correlations, I've dragged the 'change management events' event group into the box. I then drag my 'groupA' user-defined group into the correlation box as well. I setup the actions box to email the IT shop. However, my inbox becomes inundated with every change management even occurring. How do I specify that I ONLY want the GroupA events?
Thanks!
Clik here to view.
