Okay, easy question first: yes, you can find out what is sending you e-mail.
- Go to Explore --> nDepth
- Open the "Events" drawer and find "InternalRuleFired." Click on this.
- Pick the "ExtraneousInfo" field from the list of fields. Drag it up to the search bar. You should have something like "InternalRuleFired.ExtraneousInfo ="
- To the right of the "=" enter "*email*" (no quotes) and pick a time frame. Run a search.
This should return every event where a rule fired and the LEM sent an e-mail. The extraneous info will even list which user the LEM sent e-mail to, so you could further refine the search that way. You'll also see rule names in the EventInfo if you want to see how frequently a particular rule fires. These'll also be summed up under the "Refine Results" drawer.
Harder question: can I suppress e-mails? Sure, but it's going to take some work.
The template rules are, by design, really broad. The LEM devs would rather you get alerted too much than not enough, and shift the responsibility of reducing the chaff to you. So, when you delete a user...
- Is it a user delete? Yes!
- Is it a user account event? Yes! Being deleted is a pretty critical user account event.
- Is it a user being removed from a group? Yes! (Even if that group is just "Domain Users")
- Is it a change to the domain? Yes! The domain has one less member now!
So all of those rules return "TRUE" and all the corresponding actions are taken. Can you suppress this? Sure. The super easy way would be "Turn off three of the rules." The more complicated way would be to modify the broader rules to ignore precise events, such that "User Account Events" fires if a user account event happens that isn't a user delete. You'd eventually have a stack of "NOTs" to exempt every user event that isn't covered by something else. Then you modify the Group and Domain rules similarly.
Or figure out which User events aren't covered by more precise rules (like the Delete, Disable, Enable, Lock, Unlock, etc rules) and change the correlation to only look for the leftovers you care about. Ditto for the bigger rules.
Basically, you would need to make the broader rules more precise by adding more precise criteria or removing what they'll alert off of.
I hope that helps!