SureLog SIEM User Behavior Rule: “Detects when a user account is created and deleted in a short period of time.”

This “Quick Guide” was created to have you develop user behavior rule and then edit, configure and modify those rules.

In this quick guide, very simple user behavior rule: “Detects when a user account is created and deleted in a short period of time.” will be impemented.

We will implement this rule with SureLog SIEM. We will create 2 objects. The first one is with event code “4720” and the second one is “4726”. There will be time relation as “within 15 minutes”. In the end, the users must be same

SureLog Rule Editor

To link the first part of the scenario with the second part over the same sourceaccount, we will use Object Relation Management Editor.

Object Relation Management Editor