Hi,

We've currently got a rule which successfully alerts when a user is added to a group.  Usually event id 4728.  All good.  

I've been asked to duplicate this rule.  In addition to the current criteria, if an admin adds themselves to a group, an alert is sent to the relevant group.  The parameters for this event I'm most interested in are 2 and 6.

CN=John Smith,OU=New York,DC=xyz,DC=local|
S-1-5-21-333333333-2222222222-888888888-9999|
grp-security|
xyzdomain|
S-1-5-21-333333333-2113383345-444444444-41115|
S-1-5-21-333333333-2222222222-888888888-9999|
jsmith.adm|
xyzdomain|
0x9456781|-

The question is, can compare parameter 2 and parameter 6  in an expression?  The parameter name side is fine but how do I use parameter 6 as the value?  When these parameters are used in a response they match.  Any ideas?

Thanks in advance.

Hi

Yes you can compare two value expressions in the event id rule, for this you need to user expression of xpath query as below.

  <ConditionDetection ID="Filter" TypeID="System!System.ExpressionFilter">
                <Expression>
                  <SimpleExpression>
                    <ValueExpression>
                                       <XPathQuery Type="String">Params/Param[2]</XPathQuery>
                    </ValueExpression>
                    <Operator>Equal</Operator>
                    <ValueExpression>
                                     <XPathQuery Type="String">Params/Param[6]</XPathQuery>
                    </ValueExpression>
                  </SimpleExpression>
                </Expression>
              </ConditionDetection> 

You need to make this change using notepad in authoring console.

Regards

                   

Hi,  Yes that worked.  Thanks for your help.