Here are a few that I look for currently:
1. New administrator account created
2. Administrator account deleted
3. Administrator logon
4. User failed logon
5. User account locked out
6. Patch applied to a server (will be the system generated reports needed
for audits)
7. User Accounts that have not logged in for 60 days
thanks
--
Jeff
jeff...@yahoo.com
Please take a look at http://contoso.se/blog/?p=109
-----
Regards
Anders Bengtsson
Microsoft MVP - MOM
http://www.contoso.se
N> I would like to start a thread to gather/collect ideas for types of
N> events to setup for monitoring. Any event/alert can be posted, but I
N> am focusing on security auditing.
N>
N> Here are a few that I look for currently:
N> 1. New administrator account created
N> 2. Administrator account deleted
N> 3. Administrator logon
N> 4. User failed logon
N> 5. User account locked out
N> 6. Patch applied to a server (will be the system generated reports
N> needed
N> for audits)
N> 7. User Accounts that have not logged in for 60 days
N> thanks
N>