Description: Monitor new account with adminCount=1.
References: 1, 2, 3
SPL:
index="ldapsearch" destCsv="hourly_adminCount.csv" adminCount=1
| join type=left sAMAccountName domain
[ | inputlookup ad_users.csv
| search adminCount=1
| rename adminCount AS wasAdmin
| table sAMAccountName domain wasAdmin]
| search NOT wasAdmin=1
| rename domain AS Domain, sAMAccountName AS User, displayName AS Name, mail AS Email
| table Domain, User, Name, Email