I need a correlation rule that will trigger alarm if a user logins 2
different Windows systems in 15 minutes period. For example, user
"win_user" logged on Windows server "win1", and then he logged on
another Windows server "win2" in 15 minutes, I want the correlation to
be triggered.

Here is the rule I wrote:
filter((((e.ProductName = "Microsoft Active Directory and Windows") and
(e.XDASTaxonomyName = "XDAS_AE_CREATE_SESSION")) and (e.XDASOutcomeName
= "XDAS_OUT_SUCCESS"))) flow window((w.TargetHostName !=
e.TargetHostName),filter(((((e.ProductName = "Microsoft Active Directory
and Windows") and (e.XDASTaxonomyName = "XDAS_AE_CREATE_SESSION")) and
(e.XDASOutcomeName = "XDAS_OUT_SUCCESS"))),900) flow

This rule triggers sometimes but not the events I wanted to catch.

Can someone help about it?

adilga's Profile: https://forums.netiq.com/member.php?userid=2291
View this thread: https://forums.netiq.com/showthread.php?t=48765