Hi Dan: Thank you for your time and input.
The ignore is not working; I get paged on all RDP logins. Here is the Windows event log. ** Alert 1328621405.259824: mail - windows,authentication_success, 2012 Feb 07 08:30:05 (MACHINE NAME) MACHINE-IP->WinEvtLog Rule: 180000 (level 11) -> 'Windows RDP Login.' User: <USER ID GOES HERE>s WinEvtLog: Security: AUDIT_SUCCESS(528): Security: <USER ID GOES HERE>: DYNAMIC-A3054BC: DYNAMIC-A3054BC: Successful Logon: User Name: <USER ID GOES HERE> Domain: <DOMAIN HERE> Logon ID: (PRIVATE) Logon Type: 10 Logon Process: Usernnn Authentication Package: Negotiate Workstation Name: <DOMAIN HERE> Logon GUID: - Caller User Name: <DOMAIN HERE> Caller Domain: WORKGROUP Caller Logon ID: (PRIVATE) Caller Process ID: 432 Transited Services: - Source Network Address: 24.229.66.131 Source Port: 50104 <rule id="180001" level="0"> <if_sid>180000</if_sid> <srcip>24.229.66.131</srcip> <description>Valid system admin IP - igore</description> </rule> I'm not sure if it is the <srcip> is not working or if the granular email rule is only going on the parent. How can I get it narrowed down? Thank you.