is there any way to find out who has modified /deleted sccm audit logs ?
Question
I could find that there is some major settings changed in on going PROD deployment and tried to find out who has done that ? I have checked the same in Audit logs I couldn’t find any single entry related to same deployment. It is happening very often in my environment. Any one plz help ?
Answer ( 1 )
It’s difficult we have not seen this kind of alert or options out of the box.
But we are sure in the digital world everything is traceable. There would be some events stored related to WMI somewhere or it should be somewhere in SQL DB somewhere.
Do you know whether the SCCM admin deleted the audit logs from the console or from the SQL database?
depending on that you will need to instigate further or engage security experts to perform forensic analysis on their system or terminal server.