Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to custom rule for SSIM windows account locked?

Created: 12 Dec 2012 | 4 comments

Hi people,

 

I have try custom the rule Windows user account locked.

I want lock every event send an e-mail.



Today what happens the first event I get an email when the second occurs not get anything the event is in the same incident

Thanks,

 

 

Comments 4 CommentsJump to latest comment

Laszlo2's picture

Hi,

 

On the action tab uncheck the "Send notification for incident creation only" check box. Then you will get an email every time when the incident updated with an event. If you want to have the same mail every time (with conclusion), then you have to configure the correlate by field but then every lock will generate a separate incident.

regards,

Laszlo

Ronaldo.Santos's picture

Thanks for this informatio

What should I put correlate the field by ?

these options exist:



Resource and Conclusion Type

Source and Destionation

Source and Type Conclusion

Source

Destination and Conclusion Type

Destination

Conclusion Type

Laszlo2's picture

If you want that every sinlge lock event generate a separated incident then you have to choose the "no correlation" I think. Or at the tracking options you have to select the Unique event identifier, but in both case you have count with a lot of incidents.

Milan_T's picture

I aggery with Laszlo2.

Just consider 500 ID gets locked out a day then seporate 500 incidents will generate.

What will hapen for more than 1000 events and more than that screen will display one type of incidents.