ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Commodore Commodore
Commodore
281 views

Rule: Users deleted less than 24 hours after creation

Jump to solution

Dear all,

I am trying to create a Rule which is used to detect "Users deleted less than 24 hours after creation". In Condition, I want to get End Time (Event ID: 630),  and End Time (Event ID: 624) which has the same Target User Name; then compare these 2 End Time values. But I don't know how to do it.

Does anyone know or have any other idea? Thank you very much.

Best regards,

Linh.

0 Likes
1 Solution

Accepted Solutions
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

The way I would go about this is to create an AL that stores the end time & username of the created user with a 24 hour expiration time, build a rule that fires when a user is created and adds the username to the AL.  Then create an AL that fires on a user deletion event which looks in the created user AL for any users that match.  Due to the 24 hour expiration time, if the user exists in the AL then it has been created within the 24 hour timeframe.  This method makes it so the rule does not have to look back over 24 hours of time (which can be done, but that's going to be resource intensive), nor do you have to have a rule that looks 24 hours in the future for a deletion event (which again, can be done, but is bad juju). 

HTH

Chris

View solution in original post

0 Likes
3 Replies
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

The way I would go about this is to create an AL that stores the end time & username of the created user with a 24 hour expiration time, build a rule that fires when a user is created and adds the username to the AL.  Then create an AL that fires on a user deletion event which looks in the created user AL for any users that match.  Due to the 24 hour expiration time, if the user exists in the AL then it has been created within the 24 hour timeframe.  This method makes it so the rule does not have to look back over 24 hours of time (which can be done, but that's going to be resource intensive), nor do you have to have a rule that looks 24 hours in the future for a deletion event (which again, can be done, but is bad juju). 

HTH

Chris

View solution in original post

0 Likes
Commodore Commodore
Commodore

It's a very good idea. Thank you, Chris!

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

My pleasure!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.