3 Replies Latest reply on Aug 22, 2014 9:48 AM by nicole pauls

    Trouble with NATO "user enabled" alert


      I cloned the NATO5 "User Account Disabled" alert rule and got the alert to fire and an email notification working very quickly and easily.


      Now I am trying to do the same with "User Account Enabled", and cannot get the alert to fire.  Does anyone have any ideas about what to check?  The rule is saved, checks as "ok", is enabled, and the rules are activated.  I even see 4722 events on my domain controllers, but I never see the event fire in  LEM --> Monitor --> Rule Activity.





        • Re: Trouble with NATO "user enabled" alert
          nicole pauls

          Hmm, do you have a sample account enabled/4722 in your LEM console? The rule is looking for a UserEnable event where the EventInfo field contains the phrase "Account Enabled", so I'm thinking maybe the text changed slightly, or for some reason the events aren't visible in LEM.


          Look under Monitor > Change Management > User Account Changes if you're triggering a test, it should appear there. Or you can send that filter to nDepth (Gear>send to nDepth) to search historical events.

            • Re: Trouble with NATO "user enabled" alert

              Wow - bingo - the text was different.  In my correlation within my rule it read:


                        *Account Enabled.*


                                  instead of:


                        *Account Enabled*


                                  Note the one little dot:




                                  immediately after "Enabled"


              That was all it took to make it not work, and removing it was all it took to correct the problem.  Thank you, thank you.  This was driving me crazy.  I knew there had to be something very small that was different, but never imagined the difference could have been SO small.


              I checked the original NATO5 rule that I cloned to make my rule, and the un-needed dot is there, too.  I don't know if that is something I could have done, but I will watch out for this in the future.



              1 of 1 people found this helpful