CEM SIGNONVIO reporting inconsistant on password violations
Article ID: 131550
CA Compliance Event Manager
CEM is inconsistent on SIGNONVIO violations being generated, with email messages sent for certain user ID's based on password violation. These messages being triggered by CEM do not coincide with the ACF2 password violation report for the given ID's in question.
From an ESM perspective, SIGNONVIO (signon violation) encompasses more than just a password violation. This would explain why a SIGNONVIO could trip in CEM, but not show in ACF2 as a password violation.
CEM 6.0 ACF2 16.0
To limit the SIGNONVIO to just password violations, and correlate to the ACF2 password violation report, the following criteria needs to be added to the SIGNONVIO policy: Information Code 1 = 12.