New to SSIM. I have made several changes to the correlation rules (ex. changed the Windows account lockout to excude a certain username who frequently gets locked out). However, even after making the change, I am still getting incidents based on these changes. Another examples is the Spyware Not Quarentined events. I made a change to exclude any events in which the words "google search bar" appear in the Name field as this is a common false positive for us. Again, I have seen incidents with events which should be excluded pop up after I made the changes. I have the custom (User) rule checked and the default (System) is deselected. Any ideas?