This query will search for accounts deleted via EventID’s that correspond with post XP/2003 operating systems. It will output the admin account, account deleted, details about the action, and the machine that the account deletion took place on.
sourcetype=WinEventLog:Security (EventCode=630) |eval Date=strftime(_time, "%Y/%m/%d")| stats count by User, Target_Account_Name, name, host, index Date | rename User as "Administrator Account" | rename Target_Account_Name as "Account Name Deleted" | rename name as "Detailed Information" |rename host as "Computer the Account was Created on" | rename index as "Index of origin"| sort - Date
The easiest method for field extractions is to Install the app “Splunk app for Windows Infrastructure” to get the regex’s needed. The app will put in place field extractions for various Windows Logs. Ensure the field extractions have “global” permissions.
The app will add the following Field Extraction: