Yea, severity levels can be unreliable in some cases. What is the most critical activity that happens on the network for your company?Are you getting any firewall events logged? Is it just the windows generated events? I think looking at the rules that come with the LEM and having your own priorities will help looking at the events they are supposed to alert you about and setting up filters accordingly. There are filters for account lockouts, and changes to the accounts, and servers being offline and many others.
↧