Submit a ticketCall us

AnnouncementsAre You “Flying Blind?”

When it comes to your complex IT infrastructure, you want to ensure you have a good grasp of what’s going on to avoid any fire drills that result from guesswork. Read our white paper to learn how proactively monitoring your IT environment can help your organization while giving you peace of mind.

Get your free white paper.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Troubleshoot excessive rule activity, duplicate emails, email templates

Troubleshoot excessive rule activity, duplicate emails, email templates

Table of contents


This article describes how to address excessive rule activity, duplicate emails from LEM, and how to determine the email template used.


All LEM versions


Perform an nDepth search for the time frame that the email was sent. Allow five minutes before and after the email was sent:

  1. Go to Explore > nDepth.
  2. Expand Events.
  3. Type InternalRuleFired in the search field.
  4. Click and drag the results to the top and change the type frame.
  5. In nDepth search, click Refine Fields (blue funnel) > InferenceRule.
  6. Check each rule fired in the ExtraneousInfo line to determine only the rules that fired the emails.
  7. Go to Build > Rules.
  8. Type the name of the first rule.
  9. Verify the email template used in the Action section.
  10. Go to Build > Groups.
  11. Click Type  and choose Email Template.
  12. Locate the name of the email template that matches the rule. 
  13. Perform the same steps for the second rule that fire.


Your rules should be firing less than a 200-300 times a day.  For rules that are busy, such as for UDP, TCP, ICMP, the default is 10 events in 10 seconds.  This is not many events at all, if you had about 10 computers this would be fine but if you have several hundred or more than a thousand workstations and you are logging every build up and teardown for UDP and TCP events these can get very busy rules. 

  1. Under Build > Rules, find the exact rule that fired.
  2. For each rule, change the number of events to 100.
  3. If the rules are still firing every second:
    1. Go to Monitor > Overview > Rule Activity.
    2. Increase the number by 50 but stop at 200. The rule may be firing on a trusted IP address that is known. If so, modify the rule by adding the IP address to the Correlation box:
      1. Go to Build > Rules.
      2. Double-click the rule.
      3. Click Events.
      4. Type the event in the search box.
      5. Click and drag DetectionIP to the Correlations box.
      6. Type the trusted IP address. This will stop the rule from firing on the that IP address.


Another issue with rules firing so often can be if you turned on Suspicious DNS rule but never added in your Approved DNS Servers. To do this, perforn the following:

  1. Go to Build > Groups.
  2. In the search field, type DNS.
  3. Click the gear icon beside Approved DNS Servers and select Edit.
  4. Click + on the bottom left to add the DNS servers.
  5. Type a name/hostname in the name box type.
  6. Type the exact IP address of your DNS server in the Data box.
  7. Click Save.
  8. Perform the steps for every DNS server.


Sometimes you will have rules fire for users that do something and sometimes you have rules fire when a computer or machine name changes something from Group Policy.  To prevent rules from firing when a machine makes a change:

  1. Go to Build > Rules.
  2. Double-click on the rule you want to modify.
  3. Click Event Groups > Auditable Domain Events.
  4. Under fields, click and drag DetectionIP to the Correlations box.
  5. Type *$* in the blank box.


Duplicate Email Active Response Connectors

The LEM supports having multiple Email Active Response connectors setup. This would allow you to have rules that fire off alert emails to different servers based on need (eg an internal relay for sensitive alerts, and a normal server for urgent alerts.) Depending on your environment this could cause you to receive duplicate emails from your LEM.

  1. Go to Manage > Appliances
  2. Click the "Gear" icon on the left side next to the appliance in question.
  3. In the Connector Configuration window click the check box next to "Configured"
  4. Verify that that is only one Email Active Response connector
  5. Remove any duplicate Email Active Response connectors.

2018-11-16 17_44_45-Window.png



Note:  You can also click on the specific InternalRule fired either from the Monitor Filter for Rule Activity or from the nDepth query that you did above and on the top right hand-side, click on Explore above the time frame like Last 10 minutes and select Event.  What this shows you is the events that caused the rule to fire. Also click on the event and Event Details at the top.


NOTE: If you have logs replicating between your Domain Controllers, the LEM is seeing logs from both servers.  Either stop replicating logs between the servers or increase the number of events in the rule.




Last modified