Needing a hand, this is my first time diving into LEM/SEM and created my first rule but doesnt seem to be working. Im trying to send email alerts each time a user gets disabled to our help desk but doesnt look like its executing. Not sure if its my rule or maybe my email template/smtp is incorrect in some way (Im able to send test emails from the SMTP portion in admin console). Images below have more info:
Here are the event rules:
I based it off of these events (edited out certain info)
- Event Type
UserDisable
- EventInfo
Account lockout "domain\username"
- DetectionIP
DC Server.doamin
- ToolAlias
Vista Security
- DestinationDomain
DC Server
- ProviderSID
Microsoft-Windows-Security-Auditing 4740
- SourceAccount
DC Name
- Severity
4
- InsertionTime
2019-08-19 06:45:43
- Manager
LEM Hostname
- SourceLogonID
012345
- SourceDomain
domain
- InsertionIP
- DC.domain
- DetectionTime
2019-08-19 06:45:41
- ExtraneousInfo
User Account was locked out after repeated logon failures due to a bad password.
- DestinationAccount
Username
- DestinationMachine
- DC.domain
- ManagerTime
2019-08-19 06:45:43
- SourceMachine
User’s PC