Hello Sbaird,
I think in this case the issue is using wildcards in the EventInfo field. You're trying to search for a specific string inside of a string, so you're trying to find "User Account Disabled, jdoe" instead of "User Account Disabled, jdoe1" for example. By using the wildcards you're telling LEM to search the string for all jdoe strings. That much I think you've figured out, so there's a couple of suggestions:
- If the account is the end of the string, make the correlation *jdoe instead of *jdoe* (so leave off the trailing wildcard).
- Check your event data as you may be able to use another field that only has the account name in it, instead of EventInfo. So you can set your correlation to UserDisable.DestinationAccount = JDoe instead of needing the wildcards at all. Furthermore, if that's an option for you, you can set up a group (Directory Service Group or User Defined Group) so that you just have the one line of correlation for all of your users.