I am trying to set up a custom alert to email me when a user is locked out. I have it working with all domain controllers, but there are multiple email notifications coming from each DC. I have tried to limit the scope based on the “ComputerName” portion of the logs for each DC, but it is not pulling anything when I do this even though it appears to be correct. Has anyone written an alert that matches this use case?
Are you saying you get multiple alerts but you only want one per lockout? If that’s the case, you can use the “Custom Data Parsing” option to parse out the “Caller Computer Name” from the source data and then use the name of the DC you want to get alerts from in your query.
There’s already a UBA alert for this that you should be able to key in on. It triggers the alert anytime there is an “account locked” message form any of the DCs. Was this alert giving you issues that made you need to revert to a custom alert for some reaosn?