Query Details
Security Event Visualize Accounts Created Disabled Deleted
Query
//Visualize Active Directory accounts created, disabled and deleted per day
//Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent
SecurityEvent
| where TimeGenerated > ago(30d)
| where AccountType == "User"
| project TimeGenerated, Account, EventID, TargetAccount
| where EventID in ("4720", "4725", "4726")
| where TargetAccount !endswith "$"
| summarize
['Accounts Created']=countif(EventID == "4720"),
['Accounts Deleted']=countif(EventID == "4726"),
['Accounts Disabled']=countif(EventID == "4725")
by startofday(TimeGenerated)
| render columnchart
with (
kind=unstacked,
xtitle="Day",
ytitle="Count",
title="Active Directory User Accounts Created, Disabled and Deleted per day")Explanation
This query visualizes the number of Active Directory accounts that are created, disabled, and deleted each day. It uses a data connector to retrieve Windows Security Events. The query filters the events to only include user accounts and specific event IDs related to account creation, deletion, and disabling. It then groups the events by the start of each day and counts the occurrences of each event type. Finally, it renders the results as a column chart with the x-axis representing the days and the y-axis representing the count of events. The chart is titled "Active Directory User Accounts Created, Disabled and Deleted per day".
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityEvent
Keywords
ActiveDirectory,Accounts,Created,Disabled,Deleted,Day
Operators
whereprojectsummarizebyrendercountif