I have a user account lockout rule that is working well, sending emails when an account is locked.
Every once in a while, I'll get 2 alerts within a minute or so referencing the same user, but reported by a different AD domain controller.
I want to use these alerts to open tickets in our incident management system, but I don't want 2 for the same account when the above occurs.
Is the correlation function capable of handling that? Does anyone have recommendations for settings?
Thanks!