We seem to get a lot of alerts for computer account changes and other things that seem to be part of regular operations. Is there a way to fine tune and turn down the number of notifications.
It sounds like you have some of the default rules enabled. They are, by design, very broad. We'd rather over-report than under-report and have you miss something. That said, there's some simple things that may help.
Take this group of rules for example:
The highlighted rule will trigger for any user account update, so that's one e-mail. Is a user being enabled an update? Yes, so that triggers the high-lighted rule and the Account Enabled rule. It'll also trigger the "Account Events" rule, so unlocking an account is sending out three e-mails. Do you really care about getting notified for every user account event and property update? Probably not, so disable the really broad rules and only activate the specific rules you care about, like lockouts and enables.
Many of the template rules overlap in this way, so you have to make some determinations of just how much noise you want from LEM.
Good information. Where do I locate the Computer Account rules?
If you go to Build --> Rules, and then open the Categories (on the left) for "Change Management" and then "User Changes," the rules from my screenshot and the machine rules are there.
Sorry to be a newbie here. I found those rules. Many of them have "Machine Account" listed. Is that the same as "Computer Account"? The rule that we seem to be getting the most false positives is similar to this:
computer account "fsbd\annextrain05$" changed: "-" at 2018-06-27 13:38:31.0
I had disabled the rule "Machine Account Properties Updated" as a test, but still get a lot of these.
Is the "Activate Rules" button lit up? You may need to commit the changes.
And yes, Machine = Computer in this case.
Thanks. I think that was the issue. I'll play around with trimming the rule back and see what happens.
