Azure Account Creation/Deletion

event_platform=Win event_simpleName IN (ActiveDirectoryAccountCreated, ActiveDirectoryAccountDeleted)
| convert ctime(ContextTimeStamp_decimal) as TimeStamp
| table TimeStamp, event_simpleName, AccountDomain, SamAccountName