I've read through the documentation around window and gate, but neither
appear to specifically do what I need....and the documentation around
unique versus distinct is lacking.


Microsoft, in all its wisdom, decide that Account Lockout events will
register on the Domain Controller in question and the FSMO roll DC. As a
result, the collector can receive 1 or more (not always 1 or 2, can
sometimes be 3 or 4) events, making it difficult to trigger a
correlation for 1 unique event.

However, the other issue is that the details in the Event Log can differ
between the registering DC(s) and the FSMO.

What I want to do, is correlate where 1+ events for a single dun within,
say, 30 seconds, then trigger the correlation with all event(s) details
being given to the correlation (to make sure all necessary details are
emailed correctly without spaming the mailbox)....but I also want to do
this without missing multiple account lockouts for the same user
(contradictory enough??).

At the moment the correlation is:

filter((e.XDASClass = 0) AND (e.XDASIdentifier = 2) AND (e.XDASOutcome =
0) AND (e.VendorEventCode = "4740"))flow

-"Also now available in 'G+'
(https://plus.google.com/u/0/112362149544381813153) and 'Website'
(https://secure.isam.kiwi/) format".-
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=52117