Data Source: Windows Event Log Security 4726

Date: 2025-01-23

ID: 0b56dcd7-0f72-4a05-9226-d6059781737b

Author: Patrick Bareiss, Splunk

Description

Logs an event when a user account is deleted from Active Directory.

Details

Property	Value
Source	`XmlWinEventLog:Security`
Sourcetype	`xmlwineventlog`
Separator	EventCode

Supported Apps

Splunk Add-on for Microsoft Windows (version 9.0.1)

Event Fields

+ Fields


            1
            _time
          
            3
            Caller_Domain
          
            5
            Caller_User_Name
          
            7
            CategoryString
          
            9
            Channel
          
            11
            Computer
          
            13
            Error_Code
          
            15
            EventCode
          
            17
            EventData_Xml
          
            19
            EventID
          
            21
            EventRecordID
          
            23
            Guid
          
            25
            Keywords
          
            27
            Level
          
            29
            Logon_ID
          
            31
            Name
          
            33
            Opcode
          
            35
            PrivilegeList
          
            37
            ProcessID
          
            39
            RecordNumber
          
            41
            SubjectDomainName
          
            43
            SubjectLogonId
          
            45
            SubjectUserName
          
            47
            SubjectUserSid
          
            49
            SystemTime
          
            51
            System_Props_Xml
          
            53
            TargetDomainName
          
            55
            TargetSid
          
            57
            TargetUserName
          
            59
            Target_Domain
          
            61
            Target_User_Name
          
            63
            Task
          
            65
            ThreadID
          
            67
            Version
          
            69
            action
          
            71
            app
          
            73
            change_type
          
            75
            date_hour
          
            77
            date_mday
          
            79
            date_minute
          
            81
            date_month
          
            83
            date_second
          
            85
            date_wday
          
            87
            date_year
          
            89
            date_zone
          
            91
            dest
          
            93
            dest_nt_domain
          
            95
            dvc
          
            97
            dvc_nt_host
          
            99
            event_id
          
            101
            eventtype
          
            103
            host
          
            105
            id
          
            107
            index
          
            109
            linecount
          
            111
            name
          
            113
            object
          
            115
            object_attrs
          
            117
            object_category
          
            119
            object_id
          
            121
            product
          
            123
            punct
          
            125
            result
          
            127
            session_id
          
            129
            signature
          
            131
            signature_id
          
            133
            source
          
            135
            sourcetype
          
            137
            splunk_server
          
            139
            src_nt_domain
          
            141
            src_user
          
            143
            src_user_name
          
            145
            status
          
            147
            subject
          
            149
            ta_windows_action
          
            151
            ta_windows_security_CategoryString
          
            153
            tag
          
            155
            tag::eventtype
          
            157
            timeendpos
          
            159
            timestartpos
          
            161
            user
          
            163
            user_group
          
            165
            user_name
          
            167
            vendor
          
            169
            vendor_product
          
            171

...

not set

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4726</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-02-21T19:38:47.481373400Z'/><EventRecordID>279283</EventRecordID><Correlation/><Execution ProcessID='612' ThreadID='3184'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>LYNN_WOLF</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>S-1-5-21-2851375338-1978525053-2422663219-2445</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0x592d1</Data><Data Name='PrivilegeList'>-</Data></EventData></Event>

Source: GitHub | Version: 2