Hi @mohammadsharukh, if I correctly remember, there's a sample of a shourt living account in the Splunk Security Essential App, that I hint. Anyway, don't use the transaction command because it's v...
See more...
Hi @mohammadsharukh, if I correctly remember, there's a sample of a shourt living account in the Splunk Security Essential App, that I hint. Anyway, don't use the transaction command because it's very slow, please try this search: sourcetype=wineventlog (EventCode=4726 OR EventCode=4720)
| stats
earliest(eval(EventCode=4720)) AS earliest
latest(eval(EventCode=4726)) AS latest
values(dest) AS dest
values(src_user) AS src_user
values(Account_Domain) AS Account_Domain
BY user
| eval
diff=latest-earliest,
creation_time=strftime(earliest,"%Y-%m-%d %H:%M:%S"),
deletion_time=strftime(latest,"%Y-%m-%d %H:%M:%S")
| where diff<240*60
| table
creation_time
deletion_time
dest
EventCode
user
src_user
Account_Domain Ciao. Giuseppe