Needing a hand, this is my first time diving into LEM/SEM and created my first rule but doesnt seem to be working. Im trying to send email alerts each time a user gets disabled to our help desk but doesnt look like its executing. Not sure if its my rule or maybe my email template/smtp is incorrect in some way (Im able to send test emails from the SMTP portion in admin console). Images below have more info: Here are the event rules: I based it off of these events (edited out certain info) Event Type UserDisable EventInfo Account lockout "domain\username" DetectionIP DC Server.doamin ToolAlias Vista Security DestinationDomain DC Server ProviderSID Microsoft-Windows-Security-Auditing 4740 SourceAccount DC Name Severity 4 InsertionTime 2019-08-19 06:45:43 Manager LEM Hostname SourceLogonID 012345 SourceDomain domain InsertionIP DC.domain DetectionTime 2019-08-19 06:45:41 ExtraneousInfo User Account was locked out after repeated logon failures due to a bad password. DestinationAccount Username DestinationMachine DC.domain ManagerTime 2019-08-19 06:45:43 SourceMachine User’s PC

This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

SEM: Rule Help

castlerobertd over 4 years ago

Needing a hand, this is my first time diving into LEM/SEM and created my first rule but doesnt seem to be working. Im trying to send email alerts each time a user gets disabled to our help desk but doesnt look like its executing. Not sure if its my rule or maybe my email template/smtp is incorrect in some way (Im able to send test emails from the SMTP portion in admin console). Images below have more info:

Here are the event rules:

I based it off of these events (edited out certain info)

Event Type

UserDisable

EventInfo

Account lockout "domain\username"

DetectionIP

DC Server.doamin

ToolAlias

Vista Security

DestinationDomain

DC Server

ProviderSID

Microsoft-Windows-Security-Auditing 4740

SourceAccount

DC Name

Severity

InsertionTime

2019-08-19 06:45:43

Manager

LEM Hostname

SourceLogonID

012345

SourceDomain

domain

InsertionIP

DC.domain
- DetectionTime

2019-08-19 06:45:41

ExtraneousInfo

User Account was locked out after repeated logon failures due to a bad password.

DestinationAccount

Username

DestinationMachine

DC.domain
- ManagerTime

2019-08-19 06:45:43

SourceMachine

User’s PC

Top Replies

0 jrouviere over 4 years ago

Try updating the EventInfo field to "Account lockout *" without the quotes. and removing the quotes from your filter basically.
Cancel
Vote Up +2 Vote Down

Cancel
0 jrouviere over 4 years ago in reply to jrouviere

Additionally, this is what's used in the template rule for the same:
Cancel
Vote Up +2 Vote Down

Cancel
0 castlerobertd over 4 years ago in reply to jrouviere

Ah that would make sense, made the change. Is there a way like in Orion to simulate the alert/rule? If not, ill just intentionally lock out one of my accounts to try haha. (If that fixes it ill make sure to give your post correct answer for points)
Cancel
Vote Up 0 Vote Down

Cancel
0 jrouviere over 4 years ago in reply to castlerobertd

Normally I would say just use the criteria in a search and that should work, but after trying to do the same it seems like both filters *should* work. Still I would go with the templated one as that should be more thoroughly tested overall.
Cancel
Vote Up +1 Vote Down

Cancel
0 sosborne99 over 4 years ago

Castlerobertd;
I would do a build a filter to see if it captures any events.
Then I wold look at Internal Events filter and see if you see any email send failed alerts.
Just a couple of thoughts.
sosborne99
Cancel
Vote Up +2 Vote Down

Cancel