I am trying to create a Rule which is used to detect "Users deleted less than 24 hours after creation". In Condition, I want to get End Time (Event ID: 630),  and End Time (Event ID: 624) which has the same Target User Name; then compare these 2 End Time values. But I don't know how to do it.

Does anyone know or have any other idea? Thank you very much.

    The way I would go about this is to create an AL that stores the end time & username of the created user with a 24 hour expiration time, build a rule that fires when a user is created and adds the username to the AL.  Then create an AL that fires on a user deletion event which looks in the created user AL for any users that match.  Due to the 24 hour expiration time, if the user exists in the AL then it has been created within the 24 hour timeframe.  This method makes it so the rule does not have to look back over 24 hours of time (which can be done, but that's going to be resource intensive), nor do you have to have a rule that looks 24 hours in the future for a deletion event (which again, can be done, but is bad juju). 



  • It's a very good idea. Thank you, Chris!