Hi there,

I've got a correlation rule working nicely but the EventName data is
"ACL Changed" because that was the value of the EventName for the last
event that fired the Correlation Rule.

I'd like this to be automatically modified to another value such as
"User Created" or use the value contained in the
SentinelProcessingComponent field (rt2 so that the correlated event's
EventName is the same as the Correlation Rule name.

Hope that makes sense!

kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=42702