SOC Event Lookup
Event ID 4726AccountMgmtP2

Windows Event ID 4726: A user account was deleted

Windows Security Event ID 4726 records that an Active Directory or local user account object was deleted, logging the Subject who performed the deletion and the Target Account that was removed.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-12

Trigger Scenarios

Any deletion of a user account in Active Directory or on a local machine generates this event. Legitimate causes include off-boarding through HR-driven identity management, automated account lifecycle workflows, or privileged AD administration. Adversary use involves destroying accounts to prevent recovery, to disrupt operations, or to conceal earlier account-based activity.

Key Fields

Target Account\Account Name / Security ID

The identity of the account that was deleted. Deletion of an account whose name matches a domain admin, service account, or known operational identity is a direct T1531 Account Access Removal signal: those accounts protect resources or enable recovery, so removing them constitutes deliberate access disruption.

Subject\Account Name / Logon ID

The identity that performed the deletion. Correlate the Logon ID with the originating 4624 logon to identify the source workstation; a deletion made from an unusual source IP or by an account that does not normally manage directory objects warrants investigation.

Common False Positives

  • Automated identity lifecycle systems routinely delete accounts for terminated employees.
  • Test accounts and temporary project accounts are deleted as part of normal cleanup workflows.
  • Migration projects may bulk-delete legacy accounts after migration is confirmed complete.

Related Events

MITRE ATT&CK Mapping

  • T1531Account Access Removal

Detection Notes

T1531 is concrete when more than five unique Target Accounts are deleted by one Subject Logon ID in a 10-minute window, a published Splunk detection threshold. One deletion of a privileged account remains actionable; join the Subject Logon ID to 4624 because 4726 does not log source IP. Use window=10 minutes for the published bulk-deletion correlation.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4726
| project TimeGenerated, Computer, SubjectUserName, TargetUserName, TargetSid
| order by TimeGenerated desc
Splunk SPL
index=wineventlog EventCode=4726
| stats dc(TargetUserName) as deleted_count by SubjectUserName, span(_time, 10m)
| where deleted_count > 5
| table _time, SubjectUserName, deleted_count
Sample Log
Subject:
  Security ID: CORP\svc-iam
  Account Name: svc-iam
  Account Domain: CORP
  Logon ID: 0x8B2140
Target Account:
  Security ID: CORP\da-backup
  Account Name: da-backup
  Account Domain: CORP
Additional Information:
  Privileges: -

Source