Query Details
User Account Deletion
Query
# User Account Deletion ## Query Information #### Description Lists the deleted users based on EventId 4726. ## Sentinel ```KQL SecurityEvent | where EventID == 4726 | project TimeGenerated, DeletedUser = TargetAccount, Domain = TargetDomainName, Initiator = SubjectAccount, Activity ```
Explanation
This query is designed to identify and list user accounts that have been deleted. It specifically looks for events with the ID 4726, which corresponds to user account deletions in Windows security logs. The query retrieves and displays the following information for each deletion event:
- TimeGenerated: The date and time when the deletion event occurred.
- DeletedUser: The username of the account that was deleted.
- Domain: The domain to which the deleted user account belonged.
- Initiator: The username of the account that initiated the deletion.
- Activity: Additional details about the event.
In summary, this query helps track when and by whom user accounts were deleted in a system.
Details
Bert-Jan Pals
Released: June 16, 2025
Tables
SecurityEvent
Keywords
SecurityEventTimeGeneratedDeletedUserDomainInitiatorActivity
Operators
whereproject