|
|
|
Forum Newbie
Group: Forum Members
Last Login: 9/14/2011 11:03:37 AM
Posts: 1,
Visits: 0
|
|
| I am attempting to create a report in our new SIEM that will run each week and display all new users accounts created in that week. I built a custom query to look for 624 events. I sat down with one of our account provisoners to verify my query results against the actual accounts they created. I am only catching half of the accounts. I took the list of names of users my report missed and built a quick query looking for all relevant events. All came back with 642s and and 628s, which I know are often generated by a 624 event. Any idea why there are no 624s? I am just querying our DC's which all have the same level of logging. I also ruled out 2008 machines (4072 events I believe). Any thoughts?
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| my first inclination is to not trust the siem solution. never seen 624 not logged
|
|
|
|