I am trying to determine how to produce an auto reaction (email) in CCMS from specific Audit events in SM20.
Currently, we are logging all security audit events for all users, in all clients. We would like to keep this in place as a way to, at any point in time, piece together a logon event for SOX audit purposes. On the other hand, if I assign an email auto reaction method to the Security\Logon or Security\RFCLogon monitoring nodes in RZ20 (or through CEN), then all audit log events are sent in email, which is not good.
Is there a way to only auto react or only generate CCMS alerts for specific audit events, (ie. logon attempts of special users)?