EQL Query for User account creation and deletion

anaghadeoreofficial · December 8, 2021, 9:35am

I am currently working on one use case for winlogbeat data. Usecase is as follows:

Use Case: Trigger alert if the user account is deleted within one hour after creation.

Trying to understand the EQL syntax for the above use case. Using winlog event id: 4720 and 4726 for account creation and deletion.

Help me to fine-tune the above query.

system · January 5, 2022, 9:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Console use to find new accounts created Elastic Security	1	327	July 9, 2021
Elastic Query for alerts Windows Elasticsearch	1	316	February 1, 2022
Question about searching winlog events Elasticsearch	1	483	August 20, 2019
Event correlation rule for new user creation Elastic Agent elastic-stack-security	1	243	October 3, 2022
Winlogbeat - Deletion of specific event IDs which are older than 3 months Beats winlogbeat	4	337	December 6, 2023