Detection https://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_create_local_account.yml
Picking up domain user accounts created on a DC - may be worth adding a note to false positives section to exclude events from a DC?
Detection https://github.com/splunk/security_content/blob/develop/detections/endpoint/windows_create_local_account.yml
Picking up domain user accounts created on a DC - may be worth adding a note to false positives section to exclude events from a DC?