I want to run a search that alert me when a user is created and deleted in a period of time between 72 hours and 4 hours.
Could anyone help me?
Are you talking about a splunk user, an Active Directory user, a local user on a windows machine, or something else?
for splunk users , search index=_audit object=<username>
this code from this page https://answers.splunk.com/answers/368373/when-was-the-user-account-created.html
index=_audit action=edit_user operation=create
|rename object as user
|eval timestamp=strptime(timestamp, "%m-%d-%Y %H:%M:%S.%3N")
|convert timeformat="%d/%b/%Y" ctime(timestamp)
|table user timestamp
You should be able to find any deletes the same way.
For windows users, see https://answers.splunk.com/answers/144190/account-creation-and-deletion-within-a-given-time.html
I'm talking about linux user.
I can use the 'windows user' query.
Tks for your support.