I am pretty new to LEM (6.3.1) and am having some problems setting up a new rule. I am trying to create a rule that will email me an alert when there is a login attempt of a disabled domain account. I have email and the Directory Services Connector working for other rules so I'm okay there. I have a Directory Services Group defined for the Domain group I created called "Disabled Accounts". My problem is I am not sure how to craft the Correlations to get LEM to alert on login attempts for that group.
I would rather learn this and not just be handed a solution so if anyone could point me in the right direction that would be great. I found nothing useful in the User Guide nor the KB's on Solarwinds site but if there is something in either place that I missed that answers my question a link/page number would be perfect.
thank you
Arch