This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

group changed "builtin\administrators" security enabled local group

Hi,

I'm fairly new to LEM, loving it so far!  Since I had set it up, the following alert "group changed "builtin\administrators" security enabled local group at" has been triggering every 15 - 20 minutes.  The Event name in the Console is "ChangeGroupAttribute".  This I suspect is a GPO we have that adds a couple service accounts to the local admins group on the member server.  What I would like to do is change the Rule to exclude Source Accounts with "$" in them rather that disable the rule all together.  However I don't know which rule is triggering the alert emoticons_confused.png  Any ideas?

-Chad

  • So you're getting an e-mail?

    1. Go to nDepth
    2. Under Events, find "InternalRuleFired"
    3. In the fields, find "Extraneous Info"
    4. Drag "Extraneous Info" to the search bar at the top of the nDepth screen
    5. In the field, enter *email*
    6. Search!


    The LEM ought to come back with all the times the rules sent an e-mail, and what rules are responsible.  Take a look at those, and if you can figure out which rule and send a screenshot, we can probably find a way to modify it.

  • Hi Curtisi,

    I think I figured out which rule is getting fired here thanks to your help emoticons_happy.png 

    Event Info:  The "Group Events" rule Fired.

    So I cloned the original Rule and modified it by adding this Correlation "Auditable Machine Account Events.SourceAccount not = to *$* "  Would that be correct?

    -Chad

  • You're on the right track with your thinking, so it's details. The default rule is correlating off the [Auditable Group Events] Event Group, so you'll want to use the same Event Group for the SourceAccount field.

    I think something like this would work:

    2015-08-21 14_33_57-SolarWinds Log & Event Manager.png

  • That did it!  Thank you!