1 of 1 people found this helpful
You'd use similar logic to what you used in your other rule; only this time, use the "UserEnable" alert. Take a look at one of these alerts in your environment (disable and re-enable a test account, for example) to see what fields/values might be of most help to you. You may or may not be able to differentiate between instances when users are re-enabled after a lockout and those who are enabled in the traditional sense.
Let me know if you have any other questions.
Look for UserEnable.EventInfo=*Account Enabled*
I don't believe that there is a difference between an account that has been automatically disabled or administratively disabled, so the unlock event won't tell you how or why the account was disabled in the first place. You would need to look at the account lockout events for that.