RESOLUTION:
1. Expand the Quest InTrust Manager | Real–Time Monitoring | Rules | .... and right click the rule that applies to your desired alert.
2.. Select Properties from the rule’s shortcut menu, and click the Matching tab | the Advanced button (to edit matching conditions in XML).
3. Add the new eventID's to the XML (that you wish to have trigger Alerts when those events occurs), by first appending the additional eventID's to the line
'EventType = 16 and (
((((((EventID = 560 and striequ( Source, "security" )) by adding the eventID's with an 'or and the EventID = xxxx), etc...'
4. Next farther down in the XML locate the section;
def ver2008() :=
{
count(select_filtered(
EventID = xxxx and EventType = 16,
striequ( Z.String2, String2 )
and striequ( Z.String3, String3 ),
<parameter name="Time period"></parameter> ))
Add an 'or' following the closing double brackets and appending the following text for each eventID added above ;
count(select_filtered(
EventID = xxxx and EventType = 16,
striequ( Z.String2, String2 )
and striequ( Z.String3, String3 ),
<parameter name="Time period"></parameter> )) or
5. Click Ok twice. Commit the changes.
6. The Agent configuration is updated every 3 hours but restarting the InTrust Server services will send the updated configuration to the agents.
7. Test the new rule.