Hi All,

I need a suggestion on excluding the below items from the Rule.

We have a rule in place to monitor if any of the disabled accounts are enabled using Microsoft Windows security logs.

But when a new account is created it will be by default in the disabled state. How can we exclude the same event from the rule?

Customers don't want to trigger if a new account created in the disabled state was enabled at a later point.

There is one Rule for adding the disabled account to the reference set and another rule for detecting when the disabled account in the reference set got enabled,

How to exclude and in which Rule do we need to exclude what? 

Thanks

So, you do not want to trigger if a user account was enabled in short period of time after that user account was created ...  Can't something like this be used for exclusion?
AND NOT when these rules match at least this many times in this many minutes after any of these rules match with the same event properties

Hi All,

I need a suggestion on excluding the below items from the Rule.

We have a rule in place to monitor if any of the disabled accounts are enabled using Microsoft Windows security logs.

But when a new account is created it will be by default in the disabled state. How can we exclude the same event from the rule?

Customers don't want to trigger if a new account created in the disabled state was enabled at a later point.

There is one Rule for adding the disabled account to the reference set and another rule for detecting when the disabled account in the reference set got enabled,

How to exclude and in which Rule do we need to exclude what? 

Thanks