I am creating Correlated event basing on logon failure. the condition is: If there is 5 logon failure behaviour within 1 mins, the correlated rule will fire an Brute Force Attemp event.
However, the issue here is most of the Base event information related to that correlated event is not populated within Correlated event detail.
Is there anyway that we can pull the information from base event then insert it into respective correlated events?
Thank you for your advice in advance,