The removal of a user, service, or machine account from an operating system, cloud identity management system, or directory service.
Data Collection Measures:
- Host-Based Logging
- Windows Event Logs
- Event ID 4726 – A user account was deleted.
- Event ID 4733/4735 – A user was removed from a privileged group.
- Event ID 1102 – Security log was cleared (potential cover-up).
- Linux/macOS Authentication Logs
/var/log/auth.log, /var/log/secure – Logs userdel, deluser, passwd -l.- AuditD – Tracks account deletions via PAM events (
userdel). - OSQuery – The
users table can detect account removal.
- Cloud-Based Logging
- Azure AD Logs
- Azure AD Audit Logs – Tracks user and service account deletions.
- Azure Graph API – Monitors identity changes.
- AWS IAM & CloudTrail Logs
DeleteUser, DeleteRole – Tracks IAM user deletion.- DetachRolePolicy – Identifies privilege revocation before deletion.
- Google Workspace & Office 365 Logs
- Google Admin Console – Logs user removal activities.
- Microsoft 365 Unified Audit Log – Captures deleted accounts in Active Directory.
- Container & Network Account Deletion Logs
- Kubernetes Service Account Deletion
- kubectl audit logs – Detects when service accounts are removed from pods.
- GKE/Azure AKS Logs – Track containerized identity removals.