• Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Diagnostics failed logon Firewall IIS index internal license License usage Linux linux audit Login Logon malware Nessus Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshoot troubleshooting tstats Universal Forwarder users Vulnerabilities Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog
  • Search
  • Dashboards
  • Browse
    • Sourcetype

      • _audit
      • _internal
      • access_combined
      • apache
      • audittrail
      • citrix:netscaler:syslog
      • Cron
      • crowdstrike
      • Dashboards
      • datamodels
      • DBConnect
      • Enterprise Security
      • eval
      • F5
      • Fun Stuff & Helpful Hints
      • Hack
      • Hygiene
      • IIS
      • Juniper
      • Linux Performance
      • linux_secure
      • Malware
      • Monitoring
      • Networking
      • opensense
      • opsec
      • osx_secure
      • Perfmon:Available Memory
      • Perfmon:CPU Load
      • Perfmon:Free Disk Space
      • Perfmon:Network Interface
      • postfix_syslog
      • Qualys
      • REST
      • RFQ – Request For Query
      • splunkd
      • Tenable
      • Uncategorized
      • Unix:Uptime
      • WinEventLog:Application
      • WinEventLog:Security
      • WinEventLog:System
      • WinRegistry
      • WMI:Uptime
    • Tags

      6.1.2 admin apache audit audittrail authentication Cisco Diagnostics failed logon Firewall IIS index internal license License usage Linux linux audit Login Logon malware Nessus Network Perfmon Performance qualys REST Security sourcetype splunk splunkd splunk on splunk Tenable Tenable Security Center troubleshoot troubleshooting tstats Universal Forwarder users Vulnerabilities Web Traffic Windows Windows Audit Windows Security _audit _internal
  • Post New Query
  • Our Blog

Splunk Query Repository

Time between Account Creation and Account Deletion

  • WinEventLog:Security
  • SplunkNinja
  • 1 0

Below is the query indicating time (duration) between account creation and account deletion. I have added a range to indicate severity, remove and modify as needed.

Windows 2008 and newer:

1
sourcetype=WinEventLog:Security (EventCode=4726 OR EventCode=4720) |eval Date=strftime(_time, "%Y/%m/%d") |rex "Subject:\s+\w+\s\S+\s+\S+\s+\w+\s\w+:\s+(?<SourceAccount>\S+)" | rex "Target\s\w+:\s+\w+\s\w+:\s+\S+\s+\w+\s\w+:\s+(?<DeletedAccount>\S+)" | rex "New\s\w+:\s+\w+\s\w+:\s+\S+\s+\w+\s\w+:\s+(?<NewAccount>\S+)" | eval SuspectAccount=coalesce(DeletedAccount,NewAccount) | transaction SuspectAccount startswith="EventCode=4720" endswith="EventCode=4726" |eval duration=round(duration/60, 2) | eval Age=case(duration<=240, "Critical", duration>240 AND duration<=1440, "Warning", duration>1440, "Normal")| table Date, index, host, SourceAccount, SuspectAccount, duration, Age | rename duration as "Minutes Account was Active" |rename index as "SSP or Index" | sort + "Minutes Account was Active"
Share This:
Tagged: Account creation and subsequent deletionaccount durationWindows Security

Related Queries

DLL Serach Oreder Hijacking (mitre : T1574.001)

Search for disabled AD accounts that have been re-enabled

Zerologon Detection (CVE-2020-1472)

Join the live chat on Discord

Members

Newest | Active
  • Profile picture of thelawsofchaos
    thelawsofchaos
    Active 10 hours, 52 minutes ago
  • Profile picture of wieljer
    wieljer
    Active 1 day, 10 hours ago
  • Profile picture of nicwijn
    nicwijn
    Active 6 days, 20 hours ago
  • Profile picture of yxuworyvi
    yxuworyvi
    Active 1 week, 3 days ago
  • Profile picture of wangrui
    wangrui
    Active 1 week, 4 days ago
  • Home
  • Log In
  • Register
  • About GoSplunk
  • GoSplunk FAQs
  • Contact the GoSplunk Team
  • Splunk Website
  • Splunk Documentation
  • Splunk Answers

GoSplunk is not affiliated with Splunk Inc. in any way.

© 2019 GoSplunk
  • Privacy Policy
  • Terms and Conditions
  • Forgot Password?
sponsored