CEM is inconsistent on SIGNONVIO violations being generated, with email messages sent
for certain user ID's based on password violation. These messages being triggered by CEM
do not coincide with the ACF2 password violation report for the given ID's in question.
From an ESM perspective, SIGNONVIO (signon violation) encompasses more than just a password violation.
This would explain why a SIGNONVIO could trip in CEM, but not show in ACF2 as a password violation.
CEM 6.0 ACF2 16.0
To limit the SIGNONVIO to just password violations, and correlate to the ACF2 password violation report, the following criteria needs to be added to the SIGNONVIO policy:
Information Code 1 = 12.