1 Reply Latest reply on Jun 4, 2014 8:42 AM by curtisi

    How does one suppress LEM alerts?


      I have a user account lockout rule that is working well, sending emails when an account is locked.

      Every once in a while, I'll get 2 alerts within a minute or so referencing the same user, but reported by a different AD domain controller.

      I want to use these alerts to open tickets in our incident management system, but I don't want 2 for the same account when the above occurs.

      Is the correlation function capable of handling that? Does anyone have recommendations for settings?


        • Re: How does one suppress LEM alerts?

          You might try changing the Response Window on the rule from the default 5 minutes to something like 30 seconds.  When the second event shows up, since it'll be more than 30 seconds in the past, the LEM will ignore it.


          The caveat here is that if the LEM's time (or the DC's time) drifts more than 30 seconds, the rule will stop firing entirely since the LEM will see those events as more than 30 seconds from the present.


          The other warning is that if you set the Response Window too small (like 1 second) the rule will never fire.