Typically what I have to do is find the events using an nDepth search or in the monitor, and gather the data from that and make the rule match all the fields that way. It's possible your alert is set to look for certain types of events, but it doesn't account for other kinds (the ones you're looking for). It's not necessarily straightforward to fix (assuming that's your problem), but you might be able to add some OR statements to the rule to get it to match on what you're looking for. For example it might need to be UserLoginFailure.DestinationAccount == Domain Admins OR (rounded bubble thing) EventName.UserLogon == Domain Admins
↧