Hello everyone, I am trying to do an ELM search for all user accounts disabled, Windows Event 4725, in th esearch I put 4725 but it returned a ton of results and actually met its limit, then when I spot checked the results they were not accounts disabled events, am I doing something wrong?
the McAfee convention for windows id's is 43-2630<wmi event id>0
so in your case it's 43-263047250
I know its' silly... but it's not the only silly thing in this system...
give a like if you fill so... it's time for McAfee to notice the Users feelings.
To narrow your ELM search, you can try searching for ||4725|| and select only Windows Devices
or you can try regex (\|\|4725\|\|) and select Windows Devices.
Searching just 4725 could pop up in many ways in raw text.
The actual event has Microsoft-Windows-Security-Auditing||4725||, which could also be used to narrow your search.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center