Query Details
Device Detect Local User Created
Query
//Detect when a local user account is created on an endpoint
//Data connector required for this query - M365 Defender - Device* tables
//Microsoft Sentinel query
DeviceEvents
| where TimeGenerated > ago(7d)
| where ActionType == "UserAccountCreated"
//Exclude defaultuser1 which is created by Windows through different processes
| where AccountName != "defaultuser1"
| project
TimeGenerated,
DeviceName,
['Account Created Name']=AccountName,
Actor=InitiatingProcessAccountName
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting license
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "UserAccountCreated"
//Exclude defaultuser1 which is created by Windows through different processes
| where AccountName != "defaultuser1"
| project
Timestamp,
DeviceName,
['Account Created Name']=AccountName,
Actor=InitiatingProcessAccountNameExplanation
This query detects when a local user account is created on an endpoint. It uses the M365 Defender - Device* tables data connector in Microsoft Sentinel or the Advanced Hunting license data connector. The query filters for events where the ActionType is "UserAccountCreated" and excludes the defaultuser1 account created by Windows. It projects the TimeGenerated or Timestamp, DeviceName, Account Created Name (AccountName), and the Actor (InitiatingProcessAccountName).
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceEvents
Keywords
DeviceEvents,TimeGenerated,DeviceName,AccountCreatedName,Actor,ActionType,AccountName,Timestamp,InitiatingProcessAccountName
Operators
|where>ago()==!=project=