index=winsec sourcetype=XmlWinEventLog EventCode=4743 NOT SubjectUserName="Win_Dir"
| bin _time span=5m
| stats values(EventCode) as EventCode, values(signature) as EventCodeDescription, values(Targe...
See more...
index=winsec sourcetype=XmlWinEventLog EventCode=4743 NOT SubjectUserName="Win_Dir"
| bin _time span=5m
| stats values(EventCode) as EventCode, values(signature) as EventCodeDescription, values(TargetUserName) as Computer_user_deleted, values(TargetDomainName) as User_Domain dc(TargetUserName) as computeruser_count by _time SubjectUserName
|rename SubjectUserName as Deleted_by_User
| where computeruser_count > 10
| append [search index=winsec sourcetype=XmlWinEventLog EventCode=4726 NOT (SubjectUserName = "EC_Okta")
| bin _time span=5m
| stats values(EventCode) as EventCode, values(signature) as EventCodeDescription, values(object) as User_account_deleted , dc(object) as User_account_deleted_count by _time, SubjectUserName
| rename SubjectUserName as src_user
| where User_account_deleted_count > 10]
| append [search index=winsec sourcetype=XmlWinEventLog EventCode=4725 NOT (SubjectUserName = "EC_Okta" OR SubjectUserName = "Win_Dir")
| bin _time span=5m
| stats values(EventCode) as EventCode, values(signature) as EventCodeDescription, values(TargetUserName) as disabled_account, values(TargetDomainName) as User_Domain dc(TargetUserName) as disabledaccount_count by _time SubjectUserName
| rename SubjectUserName as src_user
| where disabledaccount_count > 10]