The correlation search 'Completely Inactive Accounts' makes use of the Access Tracker lookup, which records the most recent successful auth dates by user and dest.

The search that drives updates to Access Tracker requires that a succesful auth event has a value for dest.

A quick glance at that successful authentication events from our DC security logs show that the majority don't log a dest field.

sourcetype=XmlWinEventLog:Security tag=authentication action=success | fillnull | top EventCode, subject, dest

Those events all match the CIM constraints for a successful auth, but lack a dest. They make up about 95% of all the successful auths from the domain controller logs:

EventCode   subject
4776    The domain controller attempted to validate the credentials for an account
4624    An account was successfully logged on
4672    Special privileges assigned to new logon
4769    A Kerberos service ticket was requested

The only one I'm seeing with a dest is 'A logon was attempted using explicit credentials', which appears to be just that - an attempt to logon to the domain controller, rather than just authenticate.

I'm reluctant to eval dest to be the name of the DC for those event codes just to make the access tracker work - as I'm not sure whether there are other searches I could negatively impact by populating dest here.

Another option that comes to mind is to setup a custom version of access tracker that hard-codes dest to be host (available to tstats) where it's missing.

Also, I realise we could just give up; add LastLogonDate to our LDAP lookup and report on old AD accounts.

Anyone come across this and implemented a practical way of achieving valid results for 'Completely Inactive Accounts'?