Hello, I am new to LEM and may need more hand-holding
I am taking one existing rule, cloning it "Continuous Excessive Logon Failures"; seems straightforward, right?
the Correlation "UserLogonFailure" is "check"
So I added the "Action" Notification -> "Send Email" and that is when all the warnings came up.
To start on the Events search "Authentication" yields FailedAuthentication. The Fields area has "!" red. Then when I include notification by email, and try to drag and drop fields, I get warning "The Event in the action parameter is not present in the correlation" My correlation is simple "UserLogonFailure" and I now trimmed the action in the send me email to only show "EventInfo"
any thoughts?
Rami