Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Log & Event Manager (LEM) > Enabled account rule is also firing for create user events

Enabled account rule is also firing for create user events

Created by Jason Dee, last modified by MindTouch on Jun 23, 2016

Views: 6 Votes: 1 Revisions: 4


This article provides brief information and steps to resolve the issue when the rule created to alert you for account enabled events is not firing for create user events.



All LEM versions



The issue is caused when a user account is created in the Active Directory. Windows will immediately follow the create user event with an account enabled event which causes a false positive.



Modify your rule correlations to ignore the account enabled events if it accompanies a create user event. Modify your rule to match screenshot.  Save your changes, and click Activate Rules.






Last modified
19:59, 22 Jun 2016