1 of 1 people found this helpful
Okay, easy question first: yes, you can find out what is sending you e-mail.
- Go to Explore --> nDepth
- Open the "Events" drawer and find "InternalRuleFired." Click on this.
- Pick the "ExtraneousInfo" field from the list of fields. Drag it up to the search bar. You should have something like "InternalRuleFired.ExtraneousInfo ="
- To the right of the "=" enter "*email*" (no quotes) and pick a time frame. Run a search.
This should return every event where a rule fired and the LEM sent an e-mail. The extraneous info will even list which user the LEM sent e-mail to, so you could further refine the search that way. You'll also see rule names in the EventInfo if you want to see how frequently a particular rule fires. These'll also be summed up under the "Refine Results" drawer.
Harder question: can I suppress e-mails? Sure, but it's going to take some work.
The template rules are, by design, really broad. The LEM devs would rather you get alerted too much than not enough, and shift the responsibility of reducing the chaff to you. So, when you delete a user...
- Is it a user delete? Yes!
- Is it a user account event? Yes! Being deleted is a pretty critical user account event.
- Is it a user being removed from a group? Yes! (Even if that group is just "Domain Users")
- Is it a change to the domain? Yes! The domain has one less member now!
So all of those rules return "TRUE" and all the corresponding actions are taken. Can you suppress this? Sure. The super easy way would be "Turn off three of the rules." The more complicated way would be to modify the broader rules to ignore precise events, such that "User Account Events" fires if a user account event happens that isn't a user delete. You'd eventually have a stack of "NOTs" to exempt every user event that isn't covered by something else. Then you modify the Group and Domain rules similarly.
Or figure out which User events aren't covered by more precise rules (like the Delete, Disable, Enable, Lock, Unlock, etc rules) and change the correlation to only look for the leftovers you care about. Ditto for the bigger rules.
Basically, you would need to make the broader rules more precise by adding more precise criteria or removing what they'll alert off of.
I hope that helps!
Curtis, Thank you for the wonderful response.
I did follow your suggestion for nDepth to see which ones were sending out emails. However, it did not return any results. Here is a screen shot:
I ran it for each time frame from 2 hours to a week with zero results. Perhaps I did something wrong?
Anyway, after thinking about what you said "The super easy way would be "Turn off three of the rules", I think I will discuss this with my team and see what we actually need alerts for (since all events will be in the database anyway). We may only need the Added to a group and User was Created or deleted setup as alerts.
I agree with the thought of getting alerted too much rather than not enough, but management wants to be on the mailing list for these alerts and I do not wish to have their mailboxes explode with thousands of alerts.(we have 5000+ users and this will generate too many emails daily)
I will evaulate what we really need alerting for and setup my rules accordingly.
Cool. It looks like you need o add the wild-cards to that search and it should work. *email*