Re: Account Creation Event ID 4720

lsufan861 · ‎01-12-2021

I'm a novice user to Splunk and need a simple index search for account creation, time, and creator. I'm on closed domain and don't have the typical add ons. Thank you in advance.

General_Talos · ‎01-12-2021

Try this if this helps

index=* source="WinEventLog:Security" (EventCode=4720 OR EventCode=624)
    | eval CreatedBy = mvindex(Account_Name,0) 
    | eval New_User = mvindex(Account_Name,1) 
    | search CreatedBy=*
    | table _time EventCode CreatedBy New_User

cwheeler33 · ‎05-18-2022

this post saved me so much time!!!
Thank you

note1: Only need EventCode=624 if you have Windows 2008 or older systems.
note2: don't need this line, but the rest is perfect.

| search CreatedBy=*

How to create a search for Account Creation Event ID 4720?

lookup

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?