I have recently added all file and print servers into LEM and enabled file auditing for all servers. I added a rule that will send an email to the support group if a single user creates, updates, modifies, or deletes more than 10 files within a 10 second window. This was done by creating a new event group with the relevant actions and then using advanced correlations to match on detection IP and source account. This will not be the final rule criteria, but is a start.
This rule is triggered quite often, however the email provides useless information as it only details from a single event in the correlation. I need the email to have the full list of files modified. This would be a single line in each event. What function am I missing to make this happen?