CEM SIGNONVIO reporting inconsistant on password violations
book
Article ID: 131550
calendar_today
Updated On:
Products
Compliance Event Manager
Issue/Introduction
CEM is inconsistent on SIGNONVIO violations being generated, with email messages sent for certain user ID's based on password violation. These messages being triggered by CEM do not coincide with the ACF2 password violation report for the given ID's in question.
Environment
CEM 6.0 ACF2 16.0
Cause
From an ESM perspective, SIGNONVIO (signon violation) encompasses more than just a password violation. This would explain why a SIGNONVIO could trip in CEM, but not show in ACF2 as a password violation.
Resolution
To limit the SIGNONVIO to just password violations, and correlate to the ACF2 password violation report, the following criteria needs to be added to the SIGNONVIO policy: Information Code 1 = 12.