I would like to setup exemptions to this rule.
Since it has not been moved over to the new way of doing things, I cannot.
I will turn off the legacy rule and create my own custom rule.
I am unable to figure out to correlate the login event with the active account (Cloud account) with the fact the account is disabled on prem.
Does anyone know how to do this?
This functionality currently does not exist, since the account disabled information isn’t currently exposed in log search directly. We are working towards migrating these rules eventually, but some rules come with additional complexities such as this, and will take some more work than the more basic ones which have already been migrated.
One thing we can potentially assist with is why the Rule is firing in the first place if it is a false positive or a misattributed account to user mapping perhaps. If you would like to raise a support case on that we can take a look.
David