Data Source: Windows Event Log Security 4741

Logs the creation of a new computer account in Active Directory, including details about the account name, domain, and the user performing the action.

Property Value
Source XmlWinEventLog:Security
Sourcetype xmlwineventlog
Separator EventCode
+ Fields

            1
            _time
          
            3
            AccountExpires
          
            5
            AllowedToDelegateTo
          
            7
            Caller_Domain
          
            9
            Caller_User_Name
          
            11
            CategoryString
          
            13
            Channel
          
            15
            Computer
          
            17
            DisplayName
          
            19
            DnsHostName
          
            21
            Error_Code
          
            23
            EventCode
          
            25
            EventData_Xml
          
            27
            EventID
          
            29
            EventRecordID
          
            31
            Guid
          
            33
            HomeDirectory
          
            35
            HomePath
          
            37
            Keywords
          
            39
            Level
          
            41
            LogonHours
          
            43
            Logon_ID
          
            45
            Name
          
            47
            NewUacValue
          
            49
            OldUacValue
          
            51
            Opcode
          
            53
            PasswordLastSet
          
            55
            PrimaryGroupId
          
            57
            PrivilegeList
          
            59
            ProcessID
          
            61
            ProfilePath
          
            63
            RecordNumber
          
            65
            SamAccountName
          
            67
            ScriptPath
          
            69
            ServicePrincipalNames
          
            71
            SidHistory
          
            73
            SubjectDomainName
          
            75
            SubjectLogonId
          
            77
            SubjectUserName
          
            79
            SubjectUserSid
          
            81
            SystemTime
          
            83
            System_Props_Xml
          
            85
            TargetDomainName
          
            87
            TargetSid
          
            89
            TargetUserName
          
            91
            Target_Domain
          
            93
            Target_User_Name
          
            95
            Task
          
            97
            ThreadID
          
            99
            UserAccountControl
          
            101
            UserParameters
          
            103
            UserPrincipalName
          
            105
            UserWorkstations
          
            107
            Version
          
            109
            action
          
            111
            app
          
            113
            change_type
          
            115
            date_hour
          
            117
            date_mday
          
            119
            date_minute
          
            121
            date_month
          
            123
            date_second
          
            125
            date_wday
          
            127
            date_year
          
            129
            date_zone
          
            131
            dest
          
            133
            dest_nt_domain
          
            135
            dvc
          
            137
            dvc_nt_host
          
            139
            event_id
          
            141
            eventtype
          
            143
            host
          
            145
            id
          
            147
            index
          
            149
            linecount
          
            151
            name
          
            153
            object_attrs
          
            155
            object_category
          
            157
            product
          
            159
            punct
          
            161
            result
          
            163
            session_id
          
            165
            signature
          
            167
            signature_id
          
            169
            source
          
            171
            sourcetype
          
            173
            splunk_server
          
            175
            src_nt_domain
          
            177
            src_user
          
            179
            status
          
            181
            subject
          
            183
            ta_windows_action
          
            185
            ta_windows_security_CategoryString
          
            187
            tag
          
            189
            tag::eventtype
          
            191
            timeendpos
          
            193
            timestartpos
          
            195
            user
          
            197
            user_group
          
            199
            user_type
          
            201
            vendor
          
            203
            vendor_product
          
            205
            
          
...
not set
1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4741</EventID><Version>0</Version><Level>0</Level><Task>13825</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-04-08T18:48:04.618400500Z'/><EventRecordID>143475</EventRecordID><Correlation/><Execution ProcessID='636' ThreadID='1776'/><Channel>Security</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security/></System><EventData><Data Name='TargetUserName'>AR-WIN-2$</Data><Data Name='TargetDomainName'>ATTACKRANGE</Data><Data Name='TargetSid'>ATTACKRANGE\AR-WIN-2$</Data><Data Name='SubjectUserSid'>ATTACKRANGE\Administrator</Data><Data Name='SubjectUserName'>Administrator</Data><Data Name='SubjectDomainName'>ATTACKRANGE</Data><Data Name='SubjectLogonId'>0xd9f04</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>AR-WIN-2$</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>4/8/2024 6:48:04 PM</Data><Data Name='AccountExpires'>%%1794</Data><Data Name='PrimaryGroupId'>515</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x0</Data><Data Name='NewUacValue'>0x80</Data><Data Name='UserAccountControl'>

Source: GitHub | Version: 2