Hi Everyone;
I came across a strange situation. One of my customers notice some applications deleted by NT AUTHORITY\SYSTEM user, we can see it in audit events like below. Also I suspect this user might delete some of the alert actions too (there is no audit about actions). Is there anyone have any idea about this?
Thanks
172147 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application McAfee Web Gateway (Linux and Unix) on node Unknown 2170 2170 N
172169 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application SharePoint Server 2010 on node Unknown 460 460 N
172171 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application SharePoint Server 2010 on node Unknown 462 462 N
172176 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application SharePoint Server 2013 on node Unknown 2127 2127 N
172178 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application SharePoint Server 2013 on node Unknown 2128 2128 N
172179 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application SolarWinds Polling Engine Services on node Unknown 2337 2337 N
172180 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Scheduled Tasks on node Unknown 2337 2337 N
172182 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Scheduled Tasks on node Unknown 2246 2246 N
172184 7/25/2018 8:46 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Scheduled Tasks on node Unknown 2234 2234 N
190486 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Scheduled Tasks on node Unknown 1848 1848 N
190487 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Microsoft Exchange on node Unknown 1848 1848 N
190488 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Services Exchange MBX on node Unknown 1848 1848 N
190489 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Mailbox Services on node Unknown 1848 1848 N
190491 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Scheduled Tasks on node Unknown 1847 1847 N
190492 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Microsoft Exchange on node Unknown 1847 1847 N
190493 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Services Exchange MBX on node Unknown 1847 1847 N
190494 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Mailbox Services on node Unknown 1847 1847 N
190496 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Exchange 2010 Client Access Role Counters (Advanced) on node Unknown 1849 1849 N
190497 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Windows Services Exchange on node Unknown 1849 1849 N
190498 11/7/2018 6:25 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application CAS&HUB Services on node Unknown 1849 1849 N
192871 1/2/2019 7:47 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application SolarWinds Manager Services on node Unknown 2380 2380 N
192872 1/2/2019 7:47 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application Microsoft IIS on node Unknown 2380 2380 N
192873 1/2/2019 7:47 AM nt authority\system 39 User NT AUTHORITY\SYSTEM deleted application SAP URL (http-https) on node Unknown 2380 2380 N
