I have created a rule in LEM and by itself it is firing correctly... for the most part. We have a list of individuals that we monitor their lockouts. The trouble i run into is that we get a few false positives because the rule catches other users.
Correlations
UserDisable.EventInfo = *JDoe*
This successfully fires an email if JDoe gets locked out. however because it is not an exact match it will also catch when JDoe1 and JDoe2 if there are multiple similar events. At this time we are not interested in JDoe1/2's lockouts and would like to exclude these users. This seems like it should be easy enough to do but im unsure what is being missed.
any help would be appriciated.