Capture of account creation and deletion in a restricted time frame.
I have been asked if it is possible to do the following in regards to an alert. Run a rule that grabs the detail of an account that is created with high level access and then alerts if that specific account is not deleted after 180 minutes has expired.
I dont see why it isnt possible, youd want to look for something like "Account created ( EventID 624 Windows2000 and XP-4720 Vista/Server2008) then something like "User.Management.Groups.Modifications.User Added" then the delete ID would be 630 on 2000/Xp and 4726 on Vista/2008. Im not to sure how you would make it fire if its not deleted in such and such time. But im sure someone on here can help you out abit more. Hope i was able to help in the slightest.