This splunk query unmodified will return results on any account regardless of duration, however it uses an “eval case” argument to determine what is “critical” (such as accounts deleted within a day of being created) or what is simply note worthy (normal behavior).
Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/
Windows Server 2008 and Newer:
sourcetype=WinEventLog:Security (EventCode=4726 OR EventCode=4720) |eval Date=strftime(_time, "%Y/%m/%d") |rex "Subject:\s+\w+\s\S+\s+\S+\s+\w+\s\w+:\s+(?<SourceAccount>\S+)" | rex "Target\s\w+:\s+\w+\s\w+:\s+\S+\s+\w+\s\w+:\s+(?<DeletedAccount>\S+)" | rex "New\s\w+:\s+\w+\s\w+:\s+\S+\s+\w+\s\w+:\s+(?<NewAccount>\S+)" | eval SuspectAccount=coalesce(DeletedAccount,NewAccount) | transaction SuspectAccount startswith="EventCode=4720" endswith="EventCode=4726" |eval duration=round(((duration/60)/60)/24, 2) | eval Age=case(duration<=1, "Critical", duration>1 AND duration<=7, "Warning", duration>7, "Normal")| table Date, index, host, SourceAccount, SuspectAccount, duration, Age | rename duration as "Days Account was Active" | sort + "Days Account was Active"
Windows Server 2003 and Older:
sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=624) |eval Date=strftime(_time, "%Y/%m/%d") | transaction Target_Account_Name startswith="EventCode=624" endswith="EventCode=630" |eval duration=round(((duration/60)/60)/24, 2) | eval Age=case(duration<=1, "Critical", duration>1 AND duration<=7, "Warning", duration>7, "Normal")| table Date, index, host, Caller_User_Name, Target_Account_Name, duration, Age | rename duration as "Days Account was Active" | sort - Date
Awesome Thanks for this
Hi
The above query works fine but still I see that majority cases those accounts are moved after initial creation and it is reflecting under deletion but actually it is moved not blocked. So i think we need to add eventcode 5139 also in this query.But kindly let me know how can I can get a list of only accounts that are created and deleted but not moved.
Dinesh,
Thanks for commenting! Please join our live discussion over in Discord: https://discord.gg/fFJhGPw
I’d be happy to expand this query upon successful testing!