Correlated user account modification (reset, disable, deletion) events with anomalous process lineage (e.g., PowerShell or net.exe from an interactive session), especially outside of IT admin change windows or by non-admin users.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | WinEventLog:Security | EventCode=4723, 4724, 4726, 4740 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| UserContext | Account performing the operation (e.g., Domain Admins vs. local users) |
| TimeWindow | Alert only on actions outside of maintenance windows |
| ParentProcessName | Detect suspicious process lineage (e.g., powershell.exe launching net.exe) |
Password changes or account deletions via 'passwd', 'userdel', or 'chage' preceded by interactive shell or remote command execution from non-privileged accounts.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | SYSCALL record where exe contains passwd/userdel/chage and auid != root |
| User Account Authentication (DC0002) | NSM:Connections | Accepted password or publickey for user from remote IP |
| Field | Description |
|---|---|
| ExecPath | Binary path for passwd or userdel, which may vary by distro |
| NonRootUIDThreshold | Alert only if auid != root or expected service account |
Execution of dscl or sysadminctl commands to disable, delete, or modify users combined with anomalous process ancestry or terminal session launch.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | command includes dscl . delete or sysadminctl --deleteUser |
| User Account Authentication (DC0002) | macos:unifiedlog | successful sudo or authentication for account not normally associated with admin actions |
| Field | Description |
|---|---|
| CommandLinePattern | Allow variation in dscl/sysadminctl command structure |
| AnomalousUserFlag | Detect new or rarely seen users performing user removal |
Invocation of esxcli 'system account remove' from vCLI, SSH, or vSphere API with anomalous user access or outside maintenance windows.
| Data Component | Name | Channel |
|---|---|---|
| User Account Deletion (DC0009) | esxi:hostd | method=RemoveUser or esxcli system account remove invocation |
| User Account Authentication (DC0002) | esxi:vpxa | user login from unexpected IP or non-admin user role |
| Field | Description |
|---|---|
| RemoteUserRole | ESXi role triggering the change (e.g., Administrator vs. Viewer) |
| ExpectedIPs | IP ranges authorized to conduct admin-level actions |
O365 UnifiedAuditLog entries for Remove-Mailbox or Set-Mailbox with account disable or delete actions correlated with suspicious login locations or MFA bypass.
| Data Component | Name | Channel |
|---|---|---|
| User Account Deletion (DC0009) | m365:unified | Remove-Mailbox, Set-Mailbox |
| User Account Authentication (DC0002) | m365:signin | Sign-in from anomalous location or impossible travel condition |
| Field | Description |
|---|---|
| RoleAssignment | Determine if operation was delegated to expected admin group |
| GeoThreshold | Trigger on unusual geographic login sources |
Deletion or disablement of user accounts in platforms like Okta, Salesforce, or Zoom with anomalies in admin session attributes or mass actions within short duration.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | saas:okta | user.lifecycle.delete, user.account.lock |
| Field | Description |
|---|---|
| BulkActionThreshold | Trigger if multiple deletions occur within a short period |
| SessionDeviceType | Alert on deletions initiated from unfamiliar device contexts |