Predefined rule alerts on all lockouts, no matter what user was locked out.
Copy the text below into existing rule or create new rule based on this text - this syntax will let you choose what accounts must be ignored when alerting on account lockout event:
<rule type="REL" version="1.0">
<arguments>
<argument name="Excluded Users" class="List" description="Excluded Users list">
<value>"domain\\user"</value>
</argument>
</arguments>
<prefilter>
EventID = 644
and striequ( Source, "security" );
</prefilter>
<body>
EventID = 644
and striequ( Source, "security" )
and not in ( strcat( String5, "\\", String1 ), "wi", array(<parameter name="Excluded Users"/>) );
</body>
</rule>
© 2021 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy