|
|
|
Forum Newbie
Group: Forum Members
Last Login: 8/17/2018 1:22:51 PM
Posts: 1,
Visits: 0
|
|
Hi Mr. Randy, thank you for your ultimate encyclopedia. I've one question, I was working on the detection of new localuser account created in DC controlled environment. Event ID 4720 gets generated on new account creation but I want to differentiate new accounts created on DC vs new accounts created locally. Is there a way in which I can do this using Windows Security Logs?
Right now my lab isn't configured with DC, but I think if Computer Name and Target Domain Name is same, then it's local account creation. Please suggest me solution so that I can play with event IDs to build a detection.
Thanks in advance! 
|
|
|
|
|
Supreme Being
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237,
Visits: 0
|
|
You got it!
Computer name = New Account - Account Domain
|
|
|
|