legal contact

win user creation and failed logons

User account creation by day (last 7d) (EventCode 624,4720)

sourcetype=whatever (EventCode=624 OR EventCode=4720) | timechart limit=40 count by user

List of Users created  (last 7d) (EventCode 624,4720)</title>

sourcetype=whatever (EventCode=624 OR EventCode=4720) | dedup user | sort user | table user

Admins Created (based on name) by time  (last 7d)  (EventCode 624,4720)

sourcetype=whatever (EventCode=624 OR EventCode=4720) user=admin* | table _time, src_user, user, ComputerName

Users created (last 7d) by time (EventCode 4720)

sourcetype=whatever (EventCode=624 OR EventCode=4720) | sort -_time | table _time, src_user, user, ComputerName

List of Users who have been assigned to a special group (last 7d) (EventCode 4728)

sourcetype=whatever EventCode=4728 src_user!=DeploymentUser Group_Name=*admin* |  eval user=upper(substr(user,1,2)).substr(user,3) | rex field=user "CN=(?&lt;username&gt;.*?)," | stats values(Group_Name) as Group_Names by src_user,username,Group_Domain

Accounts that have failed to logon more than 4 times in last 24h (EventCode 4625)

sourcetype="whatever" EventCode=4625  (Sub_Status=0xC000006A OR Sub_Status=0xC0000072 OR Sub_Status=0xC0000234) user!=*$ | stats count as failedlogins by user, src, src_city, Failure_Reason, Sub_Status | where failedlogins &gt;4 | sort -failedlogins | table user, src, src_city, Failure_Reason, Sub_Status, failedlogins

sourcetype is the windows security evetlog sent by the splunk forwarding agent on a DC