cancel
Showing results for 
Search instead for 
Did you mean: 

SEM: Rule Help

Needing a hand, this is my first time diving into LEM/SEM and created my first rule but doesnt seem to be working. Im trying to send email alerts each time a user gets disabled to our help desk but doesnt look like its executing. Not sure if its my rule or maybe my email template/smtp is incorrect in some way (Im able to send test emails from the SMTP portion in admin console). Images below have more info:

Here are the event rules:

pastedImage_0.png

pastedImage_6.png

I based it off of these events (edited out certain info)

  • Event Type

UserDisable

  • EventInfo

Account lockout "domain\username"

  • DetectionIP

DC Server.doamin

  • ToolAlias

Vista Security

  • DestinationDomain

DC Server

  • ProviderSID

Microsoft-Windows-Security-Auditing 4740

  • SourceAccount

DC Name

  • Severity

4

  • InsertionTime

2019-08-19 06:45:43

  • Manager

LEM Hostname

  • SourceLogonID

012345

  • SourceDomain

domain

  • InsertionIP
  1. DC.domain
    • DetectionTime

2019-08-19 06:45:41

  • ExtraneousInfo

User Account was locked out after repeated logon failures due to a bad password.

  • DestinationAccount

Username

  • DestinationMachine
  1. DC.domain
    • ManagerTime

2019-08-19 06:45:43

  • SourceMachine

User’s PC

Labels (1)
0 Kudos
5 Replies
jrouviere
Level 14

Re: SEM: Rule Help

Try updating the EventInfo field to "Account lockout *" without the quotes. and removing the quotes from your filter basically.

jrouviere
Level 14

Re: SEM: Rule Help

Additionally, this is what's used in the template rule for the same:

pastedImage_0.png

Highlighted

Re: SEM: Rule Help

Ah that would make sense, made the change. Is there a way like in Orion to simulate the alert/rule? If not, ill just intentionally lock out one of my accounts to try haha. (If that fixes it ill make sure to give your post correct answer for points)

0 Kudos
jrouviere
Level 14

Re: SEM: Rule Help

Normally I would say just use the criteria in a search and that should work, but after trying to do the same it seems like both filters *should* work. Still I would go with the templated one as that should be more thoroughly tested overall.

sosborne99
Level 10

Re: SEM: Rule Help

Castlerobertd;

I would do a build a filter to see if it captures any events.

Then I wold look at Internal Events filter and see if you see any email send failed alerts.

Just a couple of thoughts.

sosborne99