I am searching for AD accounts that are created and deleted in a short period, but we have a multiple forest environment, and as a result, when an account is created on domain A with the same ID as an account deleted on domain B, it correlates those events. I need to limit my transaction to only correlate events that occur on the same domain.
Current search is as follows:
index=wineventlog sourcetype=wineventlog (EventCode=630 OR EventCode=4726 OR EventCode=624 OR EventCode=4720) (Account_Domain=a OR Account_Domain=b OR Account_Domain=c)
| transaction user startswith=status="Account Creation" endswith=status="Account Deletion" maxevents=2
In other words, I am trying to add a way to the above search so it only reports a short term account where the account creation domain = account deletion domain. Any help is much appreciated!
... View more