Query Details
Account Created Addedto Local Administrator
Query
SecurityEvent | where AccountType == "User" // Event ID 4720 = A user account was created. Event ID 4732 = A member was added to a security-enabled local group. | where EventID == "4720" or EventID == "4732" | project TargetAccount
Explanation
This query retrieves information from the SecurityEvent table. It filters the results to only include events where the AccountType is "User" and the EventID is either "4720" or "4732". It then projects the TargetAccount column from the filtered results.
Details
Rod Trent
Released: April 13, 2021
Tables
SecurityEvent
Keywords
SecurityEvent,AccountType,User,EventID,TargetAccount
Operators
where====orproject