User Account Deletion
Query
SecurityEvent
| where EventID == 4726
| project TimeGenerated, DeletedUser = TargetAccount, Domain = TargetDomainName, Initiator = SubjectAccount, ActivityAbout this query
User Account Deletion
Query Information
Description
Lists the deleted users based on EventId 4726.
Sentinel
Explanation
This query is designed to identify and list user accounts that have been deleted. It specifically looks for events with the ID 4726, which corresponds to user account deletions in Windows security logs. The query retrieves and displays the following information for each deletion event:
- TimeGenerated: The date and time when the deletion event occurred.
- DeletedUser: The username of the account that was deleted.
- Domain: The domain to which the deleted user account belonged.
- Initiator: The username of the account that initiated the deletion.
- Activity: Additional details about the event.
In summary, this query helps track when and by whom user accounts were deleted in a system.
Details

Bert-Jan Pals
Released: June 16, 2025
Tables
SecurityEvent
Keywords
SecurityEventTimeGeneratedDeletedUserDomainInitiatorActivity
Operators
whereproject