Showing results for 
Search instead for 
Did you mean: 
Create Post

SEM: Rule Help

Needing a hand, this is my first time diving into LEM/SEM and created my first rule but doesnt seem to be working. Im trying to send email alerts each time a user gets disabled to our help desk but doesnt look like its executing. Not sure if its my rule or maybe my email template/smtp is incorrect in some way (Im able to send test emails from the SMTP portion in admin console). Images below have more info:

Here are the event rules:



I based it off of these events (edited out certain info)

  • Event Type


  • EventInfo

Account lockout "domain\username"

  • DetectionIP

DC Server.doamin

  • ToolAlias

Vista Security

  • DestinationDomain

DC Server

  • ProviderSID

Microsoft-Windows-Security-Auditing 4740

  • SourceAccount

DC Name

  • Severity


  • InsertionTime

2019-08-19 06:45:43

  • Manager

LEM Hostname

  • SourceLogonID


  • SourceDomain


  • InsertionIP
  1. DC.domain
    • DetectionTime

2019-08-19 06:45:41

  • ExtraneousInfo

User Account was locked out after repeated logon failures due to a bad password.

  • DestinationAccount


  • DestinationMachine
  1. DC.domain
    • ManagerTime

2019-08-19 06:45:43

  • SourceMachine

User’s PC

Labels (1)
0 Kudos
5 Replies
Level 10


I would do a build a filter to see if it captures any events.

Then I wold look at Internal Events filter and see if you see any email send failed alerts.

Just a couple of thoughts.


Level 14

Try updating the EventInfo field to "Account lockout *" without the quotes. and removing the quotes from your filter basically.

Ah that would make sense, made the change. Is there a way like in Orion to simulate the alert/rule? If not, ill just intentionally lock out one of my accounts to try haha. (If that fixes it ill make sure to give your post correct answer for points)

0 Kudos

Normally I would say just use the criteria in a search and that should work, but after trying to do the same it seems like both filters *should* work. Still I would go with the templated one as that should be more thoroughly tested overall.

Additionally, this is what's used in the template rule for the same: