we are trying to achieve the following:
If 2 or more seperate events, which have different event ids and sources, occur within a certain time period, we should be notified by email.
You could think of this as a event chain.
Example of event chain:
1. Microsoft EMET mitigation event (possible exploitation of IEXPLORE.EXE) is logged
2. Application Crash event of IEXPLORE.EXE is logged
3. Software Restriction Policies or AppLogger event is logged
This event chain would give us a clue about a possible malware infection, if logged during lets say 1 minute on the same server.
Theres more ideas about further interesting event chains.
Currently I am unsure how to set this up.
The Treshold option only applies to one include filter and I think it is no good idea to have one include filter looking up all these above events alltogether, because this would also trigger an Action if there were several Application Crashes during the defined treshold interval.
It would be nice if you could help me out on this.
Thanks and regards