win user creation and failed logons
User account creation by day (last 7d) (EventCode 624,4720)
sourcetype=whatever (EventCode=624 OR EventCode=4720) | timechart limit=40 count by user
List of Users created (last 7d) (EventCode 624,4720)</title>
sourcetype=whatever (EventCode=624 OR EventCode=4720) | dedup user | sort user | table user
Admins Created (based on name) by time (last 7d) (EventCode 624,4720)
sourcetype=whatever (EventCode=624 OR EventCode=4720) user=admin* | table _time, src_user, user, ComputerName
Users created (last 7d) by time (EventCode 4720)
sourcetype=whatever (EventCode=624 OR EventCode=4720) | sort -_time | table _time, src_user, user, ComputerName
List of Users who have been assigned to a special group (last 7d) (EventCode 4728)
sourcetype=whatever EventCode=4728 src_user!=DeploymentUser Group_Name=*admin* | eval user=upper(substr(user,1,2)).substr(user,3) | rex field=user "CN=(?<username>.*?)," | stats values(Group_Name) as Group_Names by src_user,username,Group_Domain
Accounts that have failed to logon more than 4 times in last 24h (EventCode 4625)
sourcetype="whatever" EventCode=4625 (Sub_Status=0xC000006A OR Sub_Status=0xC0000072 OR Sub_Status=0xC0000234) user!=*$ | stats count as failedlogins by user, src, src_city, Failure_Reason, Sub_Status | where failedlogins >4 | sort -failedlogins | table user, src, src_city, Failure_Reason, Sub_Status, failedlogins
sourcetype is the windows security evetlog sent by the splunk forwarding agent on a DC