Data Source: Windows Event Log Security 4720

Date: 2025-07-10

ID: 7ef1c9e5-691b-48c2-811b-eba91d2d2f1d

Author: Patrick Bareiss, Splunk

Description

Logs an event when a new user account is created on a Windows system.

Details

Property	Value
Source	`XmlWinEventLog:Security`
Sourcetype	`XmlWinEventLog`
Separator	EventCode

Name ▲▼	Technique ▲▼	Type ▲▼
Detect New Local Admin account	Local Account	TTP
Windows Create Local Account	Local Account	Anomaly
Windows Increase in User Modification Activity	Account Manipulation, Disable or Modify Tools	TTP

Supported Apps

Splunk Add-on for Microsoft Windows (version 10.0.1)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Account_Domain</span>
  
  <span class="pill kill-chain">Account_Expires</span>
  
  <span class="pill kill-chain">Account_Name</span>
  
  <span class="pill kill-chain">Allowed_To_Delegate_To</span>
  
  <span class="pill kill-chain">CategoryString</span>
  
  <span class="pill kill-chain">ComputerName</span>
  
  <span class="pill kill-chain">Display_Name</span>
  
  <span class="pill kill-chain">Error_Code</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventType</span>
  
  <span class="pill kill-chain">Home_Directory</span>
  
  <span class="pill kill-chain">Home_Drive</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">LogName</span>
  
  <span class="pill kill-chain">Logon_Hours</span>
  
  <span class="pill kill-chain">Logon_ID</span>
  
  <span class="pill kill-chain">MSADChangedAttributes</span>
  
  <span class="pill kill-chain">Message</span>
  
  <span class="pill kill-chain">New_UAC_Value</span>
  
  <span class="pill kill-chain">Old_UAC_Value</span>
  
  <span class="pill kill-chain">OpCode</span>
  
  <span class="pill kill-chain">Password_Last_Set</span>
  
  <span class="pill kill-chain">Primary_Group_ID</span>
  
  <span class="pill kill-chain">Profile_Path</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">SAM_Account_Name</span>
  
  <span class="pill kill-chain">SID_History</span>
  
  <span class="pill kill-chain">Script_Path</span>
  
  <span class="pill kill-chain">Security_ID</span>
  
  <span class="pill kill-chain">SourceName</span>
  
  <span class="pill kill-chain">Subject_Account_Domain</span>
  
  <span class="pill kill-chain">Subject_Account_Name</span>
  
  <span class="pill kill-chain">Subject_Logon_ID</span>
  
  <span class="pill kill-chain">Subject_Security_ID</span>
  
  <span class="pill kill-chain">TaskCategory</span>
  
  <span class="pill kill-chain">Type</span>
  
  <span class="pill kill-chain">User_Parameters</span>
  
  <span class="pill kill-chain">User_Principal_Name</span>
  
  <span class="pill kill-chain">User_Workstations</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">body</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">change_type</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_nt_domain</span>
  
  <span class="pill kill-chain">dest_nt_host</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">dvc_nt_host</span>
  
  <span class="pill kill-chain">event_id</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">member_dn</span>
  
  <span class="pill kill-chain">member_id</span>
  
  <span class="pill kill-chain">member_nt_domain</span>
  
  <span class="pill kill-chain">msad_action</span>
  
  <span class="pill kill-chain">name</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">result</span>
  
  <span class="pill kill-chain">session_id</span>
  
  <span class="pill kill-chain">severity</span>
  
  <span class="pill kill-chain">severity_id</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">signature_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src_nt_domain</span>
  
  <span class="pill kill-chain">src_user</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">subject</span>
  
  <span class="pill kill-chain">ta_windows_action</span>
  
  <span class="pill kill-chain">ta_windows_security_CategoryString</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_group_id</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

110/09/2020 10:41:26 AM

Required Output Fields

dest

Source: GitHub | Version: 3

Data Source: Windows Event Log Security 4720

Description

Details

Related Detections

Supported Apps

Event Fields

Example Log

Required Output Fields