I am administering the SSIM for my organization and, to be honest, my first impressions are not that great. I am trying to tweak the rules to minimize false positives but have been met with roadblocks time after time.

My specific issue is this: I am trying to create and deploy a custom rule using the "Windows Account Lockout" as a starting point. The condition I want to add is to exclude any events in which the user "administrator" on either my XXX server or my YYY server gets locked out.

I have the rule set up as follows:
---------------------------------------------------------------------------
And (over all criteria)
Or (over next 3 criteria)
Windows Event ID = 539
Windows Event ID = 644
Windows Event ID = 4740

Or (over next 2 citeria)
Destination Host Name <> (not equal to) XXX server
Destination Host Name <> (not equal to) YYY server

User Name <> (not equal to) administrator
-----------------------------------------------------------------------------
I have deployed this rule and continue to have incidents created in which the administrator on XXX (or YYY) server gets locked out. My thought is that the "not equal to" condition related to server names is the issue. If it gets an event from XXX server, it can match the second criteria of the Host Name not being equal to "YYY server". This doesn't explain how the "administrator" part gets through.

I attempted to run testing on the rules as I change them and would like to mention that it is useless to provide a testing process in which I cannot open the events captured for further review.

Should it matter, I am on version 4.6.2.21 of the SSIM.

Given the time I have taken to (hopefully) explain my situation, I would greatly appreciate any assistance.