This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

LEM Rules exact match syntax

I have created a rule in LEM and by itself it is firing correctly... for the most part. We have a list of individuals that we monitor their lockouts. The trouble i run into is that we get a few false positives because the rule catches other users.

Correlations

UserDisable.EventInfo = *JDoe*

This successfully fires an email if JDoe gets locked out. however because it is not an exact match it will also catch when JDoe1 and JDoe2 if there are multiple similar events. At this time we are not interested in JDoe1/2's lockouts and would like to exclude these users. This seems like it should be easy enough to do but im unsure what is being missed.

any help would be appriciated.

  • Hello Sbaird,

    I think in this case the issue is using wildcards in the EventInfo field.  You're trying to search for a specific string inside of a string, so you're trying to find "User Account Disabled, jdoe" instead of "User Account Disabled, jdoe1" for example.  By using the wildcards you're telling LEM to search the string for all jdoe strings.  That much I think you've figured out, so there's a couple of suggestions:

    1. If the account is the end of the string, make the correlation *jdoe instead of *jdoe* (so leave off the trailing wildcard).
    2. Check your event data as you may be able to use another field that only has the account name in it, instead of EventInfo.  So you can set your correlation to UserDisable.DestinationAccount = JDoe instead of needing the wildcards at all.  Furthermore, if that's an option for you, you can set up a group (Directory Service Group or User Defined Group) so that you just have the one line of correlation for all of your users.
  • Thanks for the reply! unfortunately removing the trailing wildcard was already a thought that i had but this results in the rule not being triggered... tho i am unsure why that is. However Eureka! your second idea was a direct hit. Changing the rule to " UserDisable.DestinationAccount = JDoe" works as I had hoped. I will switch to that option.