Hi, I'm trying to enable a Windows security group change alert e-mail but only if, say, 'domain admins' is changed.
I've reduced the standard rule (18114) alert level to 6 but added the following to local-rules: <rule id="100103" level="10"> <if_sid>18114</if_sid> <match>Domain Admins</match> <match>Other security enabled groups....</match> <description>Raise alerts for Admin groups</description> </rule> </group> e-mail alert trigger is still set to 7+ I'm seeing alerts on rule 18114 for all groups OTHER than those I have specified above. It looks as if the local_rule 100103 is not being triggered (it is being loaded at startup). Am I doing this correctly? Any ideas why it's not being triggered? Regards, Walter Wilson ************************************************************************************************************ This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. If you have received this email in error please contact the sender. We only print the emails we really need to
