On Wed, Feb 1, 2012 at 4:21 PM, Peter M Abraham <peter.abra...@dynamicnet.net> wrote: > Good day: > > Given the following rule > > <rule id="180000" level="11"> > <if_sid>18107</if_sid> > <match>Logon Type: 10</match> > <description>Windows RDP Login.</description> > <group>authentication_success,</group> > </rule> > > What could we add so that if the "User Name" is not a specific value > AND the "Source Network Address" is not a specific value, that an > email is triggered to a specific email address? > > Thank you.
<rule id="180001" level="0"> <if_sid>180000</if_sid> <user>User Name</user> <srcip>Source Network Address</srcip> <description>Ignore stuff</description> </rule> Then create a granular email alert for rule 180000.
