So you're getting an e-mail?
- Go to nDepth
- Under Events, find "InternalRuleFired"
- In the fields, find "Extraneous Info"
- Drag "Extraneous Info" to the search bar at the top of the nDepth screen
- In the field, enter *email*
The LEM ought to come back with all the times the rules sent an e-mail, and what rules are responsible. Take a look at those, and if you can figure out which rule and send a screenshot, we can probably find a way to modify it.
I think I figured out which rule is getting fired here thanks to your help
Event Info: The "Group Events" rule Fired.
So I cloned the original Rule and modified it by adding this Correlation "Auditable Machine Account Events.SourceAccount not = to *$* " Would that be correct?
That did it! Thank you!