Dashboard Query: Newly Created Accounts

Document created by Spencer Engleson Employee on Oct 27, 2016
Version 1Show Document
  • View in full screen mode

This query shows users with newly created accounts.


Log Set: Active Directory Admin Activity

Event Source: Active Directory


Newly Created Accounts by Target User

This query shows all users who have had a new account created.  Recommended visualization option is a table (the "Count" column is the total number of password reset events for the target user that have occurred in the selected time range):


     where(action="ACCOUNT_CREATED") groupby(target_user)


***Please ignore the incredibly specific time range in the above screenshot - I had to look pretty far back in our demo instance to find a ACCOUNT_CREATED event***


Users Creating Accounts

Alternatively, changing the groupby to source_user will show all users who are creating accounts, rather than the target users:


     where(action="PASSWORD_RESET" AND source_user!=target_user)groupby(source_user)



Newly Created Accounts Trend over Time

Lastly, to see a trend over time for newly created accounts, utilize a count function, a timeline chart, and a longer time range to show the number of forced password resets over time:


     where(action="ACCOUNT_CREATED") calculate(count)