Users and Groups ActivitiesUsers Created`event_sources` eventtype=windows_account_created $keyword$
| timechart count$interval.earliest$$interval.latest$1Attempts to login with disabled accounts
`event_sources` name="A member was added to a security-enabled *" AND ("Enterprise Admins" OR "Domain Admins") $keyword$
| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server
| dedup _time,user
| eval added_by=mvindex(Security_ID,0)
| eval user=mvindex(Security_ID,1)
| table _time, server,domain, user,added_by$interval.earliest$$interval.latest$1
Users Added to local Administrators
`event_sources` name="A member was added to a security-enabled local group" AND user_group="Administrators" $keyword$
| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server
| eval added_by=mvindex(Security_ID,0)
| eval user=mvindex(Security_ID,1)
| table _time, server,domain, user,added_by$interval.earliest$$interval.latest$1
Users Created
`event_sources` eventtype=windows_account_created
| rename dest_nt_domain as domain, EventCode as "event id", Display_Name as "user name",host as server
| dedup _time,user
| eval created_by=mvindex(Account_Name,0)
| table _time, server,domain, user,"user name", created_by
| sort _time$interval.earliest$$interval.latest$1
`event_sources` name="A security-enabled global group was created"
| dedup _time,Group_Name
| rename dest_nt_domain as domain, EventCode as "event id", user as "created_by",host as server
| table _time, server,domain,Group_Name, created_by
| sort _time$interval.earliest$$interval.latest$1
Groups Deleted
`event_sources` name="A security-enabled global group was deleted" $keyword$
| rename dest_nt_domain as domain, EventCode as "event id", user as "Deleted by",host as server
| table _time, server,domain,Group_Name, "Deleted by"
| sort _time$interval.earliest$$interval.latest$1