Azure Account Creation/Deletion
event_platform=Win event_simpleName IN (ActiveDirectoryAccountCreated, ActiveDirectoryAccountDeleted)
| convert ctime(ContextTimeStamp_decimal) as TimeStamp
| table TimeStamp, event_simpleName, AccountDomain, SamAccountNameLast updated
Was this helpful?