1 Reply Latest reply on Aug 10, 2017 9:32 AM by jrouviere

    LEM Rule Creation


      Hello, I am new to LEM and may need more hand-holding

      I am taking one existing rule, cloning it "Continuous Excessive Logon Failures"; seems straightforward, right?

      the Correlation "UserLogonFailure" is "check"

      So I added the "Action" Notification -> "Send Email" and that is when all the warnings came up.


      To start on the Events search "Authentication" yields FailedAuthentication.  The Fields area has "!" red.  Then when I include notification by email, and try to drag and drop fields, I get warning "The Event in the action parameter is not present in the correlation"  My correlation is simple "UserLogonFailure" and I now trimmed the action in the send me email to only show "EventInfo" 


      any thoughts?