not getting what I need to, its just changing the name by prefixing the ADM- in front of username.
maybe I was not clear with the query, I need to search the existing ADM accounts present or not for the users that are disabled, as we dont have adm account for all the user's
running this query not solving the issue
sourcetype="WinEventLog:Security" EventCode=4725 user!="$" | dedup user | table user
| eval adm_username="adm-".user
| join type=left adm_username [search sourcetype="WinEventLog:Security" EventCode=4725 user!="$" OR user="adm-*" | rename user as adm_username status as adm_status | table adm_username,adm_status]
... View more