legitimate local user creations may be done by a system or network administrator. verify whether this is known behavior in your environment. local user creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

source: <a href=https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_user_account_creation_event_logs.toml>elastic
technicques: T1136

Techniques

Identifies attempts to create a Windows User Account. This is sometimes done by attackers to persist or increase access to a system or domain.

host.os.type:windows and event.module:("system" or "security") and (event.code:"4720" or event.action:"added-user-account")