Hmm, do you have a sample account enabled/4722 in your LEM console? The rule is looking for a UserEnable event where the EventInfo field contains the phrase "Account Enabled", so I'm thinking maybe the text changed slightly, or for some reason the events aren't visible in LEM.
Look under Monitor > Change Management > User Account Changes if you're triggering a test, it should appear there. Or you can send that filter to nDepth (Gear>send to nDepth) to search historical events.
1 of 1 people found this helpful
Wow - bingo - the text was different. In my correlation within my rule it read:
Note the one little dot:
immediately after "Enabled"
That was all it took to make it not work, and removing it was all it took to correct the problem. Thank you, thank you. This was driving me crazy. I knew there had to be something very small that was different, but never imagined the difference could have been SO small.
I checked the original NATO5 rule that I cloned to make my rule, and the un-needed dot is there, too. I don't know if that is something I could have done, but I will watch out for this in the future.
I'll look into whether we need to change the default rule - thanks for the troubleshooting!