McAfee Support Community - Re: ELM Search

Sammy1 · ‎10-23-2018

Hello everyone, I am trying to do an ELM search for all user accounts disabled, Windows Event 4725, in th esearch I put 4725 but it returned a ton of results and actually met its limit, then when I spot checked the results they were not accounts disabled events, am I doing something wrong?

David1111 · ‎10-24-2018

try 43-263047250

the McAfee convention for windows id's is 43-2630<wmi event id>0

so in your case it's 43-263047250

I know its' silly... but it's not the only silly thing in this system...

give a like if you fill so... it's time for McAfee to notice the Users feelings.

David

mherr · ‎10-24-2018

To narrow your ELM search, you can try searching for ||4725|| and select only Windows Devices

or you can try regex (\|\|4725\|\|) and select Windows Devices.

Searching just 4725 could pop up in many ways in raw text.

The actual event has Microsoft-Windows-Security-Auditing||4725||, which could also be used to narrow your search.

Sammy1 · ‎10-25-2018

Oh this is really good, I will try this, thank you..