im trying to build an real time monitoring rule for when the CAC requirement is turned off for any account on our network.
My issue is the event ID is shared. and im unable to get any event filter to check for a string value.
the Event ID is 4738 and the String value should be (is#24) "%%2060"
has anyone had any experience with custom real time monitoring rules?