windows_event_user_account_created
SCHEMA
| user_workstations | string | Contains the list of NetBIOS or DNS names of the computers from which the user can logon. |
| account_expires | string | The date when the account expires |
| allowed_to_delegate_to | string | The list of SPNs to which this account can present delegated credentials. |
| description | string | Plugin description text |
| display_name | string | Service Display name |
| eventid | int | The Windows event ID |
| home_directory | string | User's home directory. |
| home_path | string | User's home path. |
| privilege_list | string | The list of user privileges which were used during the operation |
| profile_path | string | Specifies a path to the account's profile |
| provider_name | string | The Windows event provider |
| sam_account_name | string | Logon name for account used to support clients and servers from previous versions of Windows |
| script_path | string | The path for the Powershell script |
| source | string | The Windows event source |
| subject_domain | string | The domain or computer name for the account that reported the logon |
| subject_username | string | The account that reported the logon |
| target_domain | string | The domain or computer name for the account specified |
| target_username | string | The name of the account that was specified in the logon attempt |
| uac | string | Shows the list of changes in userAccountControl attribute |
| user_parameters | string | For new local accounts this field typically has value '<value not set>' |
| user_principal_name | string | Internet-style login name for the account |
| user_workstations | string | Contains the list of NetBIOS or DNS names of the computers from which the user can logon. |
-- windows_event_user_account_created INFO SELECT -- Device ID DETAILS meta_hostname, meta_ip_address, -- Query Details query_name, account_expires, allowed_to_delegate_to, description, display_name, eventid, home_directory, home_path, privilege_list, profile_path, provider_name, sam_account_name, script_path, source, subject_domain, subject_username, target_domain, target_username, uac, user_parameters, user_principal_name, user_workstations, -- Decoration meta_boot_time, meta_eid, meta_endpoint_type, meta_ip_mask, meta_mac_address, meta_os_name, meta_os_platform, meta_os_type, meta_os_version, meta_public_ip, meta_query_pack_version, meta_username, --- Generic calendar_time, counter, epoch, host_identifier, numerics osquery_action, unix_time, -- Data Lake customer_id, endpoint_id, upload_size FROM xdr_data WHERE query_name = 'windows_event_user_account_created'
