Multiple Account Deletion by an Administrator
Detect multiple accounts being deleted by an Administrator
This content is not mapped to any local saved search. Add mapping
How to Implement
This search requires an accelerated authentication data model to run. If it is not present, consider ingesting Windows Security or Linux data via the Splunk Universal Forwarder or AWS, GCP or Azure vid the correct add-on, and then accelerating it with the Common Information App
Known False Positives
The biggest potential false positive from this detection is that, technically, it will fire for any privileged account that is deleting accounts, not just admin accounts specifically. It's difficult to put sufficient logic into a single search to detect admin only accounts, as often, “privilege” is a general term which implies any user with rights above the average user. So while detecting group deletions from admins, it could also alert for any automated account which may be cleaning up Active Directory.
Beyond that, there are no known sources of false positives for this search.
How To Respond
When this search returns values, initiate your incident response process and capture the time of the creation and deletion events, as well as the user accounts that created the account and the account name itself, the system that initiated the request and other pertinent information. Contact the account owners, to verify whether or not this is authorized behavior. If not, begin to investigate actions taken by each account leading up to it’s deletion. If it is authorized behavior, document that this is authorized and by whom.
Multiple Account Deletion by an Administrator Help
This example leverages the Simple Search assistant. Our dataset is a collection of Windows security logs for user user deletion. We filter for that in a short period of time. Anything that matches, we will surface.
SPL for Multiple Account Deletion by an Administrator
|Here we start with a a data set from the Change datamodel.|
|Filter on deletes only.|
|We list and count the number of deletions by source user.|
|Only show users that have deleted more than 1 account.|
|This macro attaches information from the ES Asset and Identity framework so you can see if a user if considered privileged.|
|Filter on privileged users only.|