I want to create an offense rule that alerts when a user is created on a Windows computer and that same user logs in with administrator access. It's two separate events in two different categories with two different event properties that need to match.
First event: BB:CategoryDefinition: User Account Created with Event Property: New Account Name (custom)
Second event: BB:CategoryDefinition: Admin Login Successful with Event Property: Username
The two event properties should match.
What should the syntax of the rule be?