Details
For several Active Directory User-Related Actionable Alert Rules, built-in is an if statement, stating that if a user is in a group called “RoarExclude” then exclude them from this Alert. To utilize this feature, you will need to create a Security Group named “RoarExclude”
Steps to remediate
The following Metrics include the RoarExclude filter and can be used for custom Actionable Alert Rules:
Active Directory: End of Life Workstations (Excludes Roar Group)
Active Directory: Age of Oldest Privileged User Password
Active Directory: Privileged Users with Stale Password List
Active Directory: Age of Oldest Non-Privileged User Password
Active Directory: Non-Privileged Users with Stale Password List
The following prebuilt Actionable Alerts include the RoarExclude filter:
Active Directory | Privileged User with Stale Password
Active Directory | User with Stale Password
To exclude a user from another Active Directory Metric, at the Users object level, inside the brackets, add the condition followed by the exclusion string as shown here:
Users[?first condition && !contains(MemberOfStr, `RoarExclude`)]