https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-for-the-creation-of-admin-accounts/m-p/347438#M102897 <P>for windows look for events 4720 account was created and 4732 (or related) account was added to a global security group<BR /> read here and then move to related events (from the link)<BR /> <A href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720</A><BR /> linux has less verbose logging than windows but i can think of some ways to monitor that. <BR /> most of the time each user will have its own home directory and therefore if you see a new source it means a new user.<BR /> also there are ways to monitor the suduers list on linux<BR /> hope it helps a little</P> Thu, 15 Jun 2017 16:14:10 GMT adonio 2017-06-15T16:14:10Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-for-the-creation-of-admin-accounts/m-p/347436#M102895 <P>need a search for creation of admin accounts. For both Windows and Linux. Domain-level accounts. Thanks </P> Thu, 15 Jun 2017 15:28:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-for-the-creation-of-admin-accounts/m-p/347436#M102895 MastaMia 2017-06-15T15:28:29Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-for-the-creation-of-admin-accounts/m-p/347437#M102896 <P>@MastaMia - In general, your question has a greater chance of being answered by experts in the Answers community when when you provide as much information and context as possible.</P> Thu, 15 Jun 2017 15:43:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-for-the-creation-of-admin-accounts/m-p/347437#M102896 aaraneta_splunk 2017-06-15T15:43:57Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-for-the-creation-of-admin-accounts/m-p/347438#M102897 <P>for windows look for events 4720 account was created and 4732 (or related) account was added to a global security group<BR /> read here and then move to related events (from the link)<BR /> <A href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720</A><BR /> linux has less verbose logging than windows but i can think of some ways to monitor that. <BR /> most of the time each user will have its own home directory and therefore if you see a new source it means a new user.<BR /> also there are ways to monitor the suduers list on linux<BR /> hope it helps a little</P> Thu, 15 Jun 2017 16:14:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-for-the-creation-of-admin-accounts/m-p/347438#M102897 adonio 2017-06-15T16:14:10Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-for-the-creation-of-admin-accounts/m-p/347439#M102898 <P>interesting idea. How would you find the home directories?</P> Thu, 15 Jun 2017 19:28:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-for-the-creation-of-admin-accounts/m-p/347439#M102898 DalJeanis 2017-06-15T19:28:30Z