if the identity_management data model is not updated regularly, this search could give you false positive alerts. please consider this and investigate appropriately.

t1078.002
domain server
splunk

Techniques

T1078.002

Sample rules

Identify New User Accounts

source: splunk
technicques:
- T1078.002

Description

This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week.

Detection logic


| from datamodel Identity_Management.All_Identities  
| eval empStatus=case((now()-startDate)<604800, "Accounts created in last week") 
| search empStatus="Accounts created in last week"
| `security_content_ctime(endDate)` 
| `security_content_ctime(startDate)`
| table identity empStatus endDate startDate 
| `identify_new_user_accounts_filter`