User Account Creation

The initial establishment of a new user, service, or machine account within an operating system, cloud environment, or identity management system.

Data Collection Measures:

• Host-Based Logging
  • Windows Event Logs
    • Event ID 4720 – A new user account was created.
    • Event ID 4732/4735 – A user was added to a privileged group.
    • Event ID 4798 – Enumeration of user accounts.
  • Linux/macOS Authentication Logs
    • /var/log/auth.log, /var/log/secure – Logs useradd, adduser, passwd, and groupmod activities.
    • AuditD – Detects new account creation via PAM (useradd, usermod).
    • OSQuery – The users table tracks newly created accounts.
• Cloud-Based Logging
  • Azure AD Logs
    • Azure AD Audit Logs – Tracks new user and service account creation.
    • Azure Graph API – Provides logs on new account provisioning.
  • AWS IAM & CloudTrail Logs
    • CreateUser, CreateRole – Tracks new IAM user creation.
    • AttachRolePolicy – Identifies privilege escalation via account creation.
  • Google Workspace & Office 365 Logs
    • Google Admin Console – Logs user creation in User Accounts API.
    • Microsoft 365 Unified Audit Log – Tracks new account provisioning.
• Container & Network Account Creation Logs
  • Kubernetes Account Creation Logs
    • kubectl audit logs – Detects new service account provisioning.
    • GKE/Azure AKS Logs – Track new container service accounts.