5 Replies Latest reply on Aug 22, 2019 11:22 AM by sosborne99

    SEM: Rule Help

    castlerobertd

      Needing a hand, this is my first time diving into LEM/SEM and created my first rule but doesnt seem to be working. Im trying to send email alerts each time a user gets disabled to our help desk but doesnt look like its executing. Not sure if its my rule or maybe my email template/smtp is incorrect in some way (Im able to send test emails from the SMTP portion in admin console). Images below have more info:

       

      Here are the event rules:

      I based it off of these events (edited out certain info)

      • Event Type

      UserDisable

      • EventInfo

      Account lockout "domain\username"

      • DetectionIP

      DC Server.doamin

      • ToolAlias

      Vista Security

      • DestinationDomain

      DC Server

      • ProviderSID

      Microsoft-Windows-Security-Auditing 4740

      • SourceAccount

      DC Name

      • Severity

      4

      • InsertionTime

      2019-08-19 06:45:43

      • Manager

      LEM Hostname

      • SourceLogonID

      012345

      • SourceDomain

      domain

      • InsertionIP
      1. DC.domain
        • DetectionTime

      2019-08-19 06:45:41

      • ExtraneousInfo

      User Account was locked out after repeated logon failures due to a bad password.

      • DestinationAccount

      Username

      • DestinationMachine
      1. DC.domain
        • ManagerTime

      2019-08-19 06:45:43

      • SourceMachine

      User’s PC