Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Accounts Deleted within 24 Hours of Creation

WinEventLog:Security

Description

Submitted by SplunkNinja

This splunk query unmodified will return results on any account regardless of duration, however it uses an "eval case" argument to determine what is "critical" (such as accounts deleted within a day of being created) or what is simply note worthy (normal behavior). Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/   Windows Server 2008 and Newer:
12 0 
sourcetype=WinEventLog:Security (EventCode=4726 OR EventCode=4720) |eval Date=strftime(_time, "%Y/%m/%d") |rex "Subject:\s+\w+\s\S+\s+\S+\s+\w+\s\w+:\s+(?<SourceAccount>\S+)" | rex "Target\s\w+:\s+\w+\s\w+:\s+\S+\s+\w+\s\w+:\s+(?<DeletedAccount>\S+)" | rex "New\s\w+:\s+\w+\s\w+:\s+\S+\s+\w+\s\w+:\s+(?<NewAccount>\S+)" | eval SuspectAccount=coalesce(DeletedAccount,NewAccount) | transaction SuspectAccount startswith="EventCode=4720" endswith="EventCode=4726" |eval duration=round(((duration/60)/60)/24, 2) | eval Age=case(duration<=1, "Critical", duration>1 AND duration<=7, "Warning", duration>7, "Normal")| table Date, index, host, SourceAccount, SuspectAccount, duration, Age | rename duration as "Days Account was Active" | sort + "Days Account was Active"
Windows Server 2003 and Older: 
sourcetype=WinEventLog:Security (EventCode=630 OR EventCode=624) |eval Date=strftime(_time, "%Y/%m/%d") | transaction Target_Account_Name startswith="EventCode=624" endswith="EventCode=630" |eval duration=round(((duration/60)/60)/24, 2) | eval Age=case(duration<=1, "Critical", duration>1 AND duration<=7, "Warning", duration>7, "Normal")| table Date, index, host, Caller_User_Name, Target_Account_Name, duration, Age | rename duration as "Days Account was Active" | sort - Date

Comments

3 total

WI
wieljer
6/10/2016

Awesome Thanks for this

DI
Dinesh Kumar V
4/24/2019

Hi \r\n The above query works fine but still I see that majority cases those accounts are moved after initial creation and it is reflecting under deletion but actually it is moved not blocked. So i think we need to add eventcode 5139 also in this query.But kindly let me know how can I can get a list of only accounts that are created and deleted but not moved.

SP
SplunkNinja Author
4/24/2019

Dinesh,\r\nThanks for commenting! Please join our live discussion over in Discord: https://discord.gg/fFJhGPw\r\n\r\nI'd be happy to expand this query upon successful testing!

Leave a comment

You must log in to post a comment.

Ad slot: bottom