The 'User Account Creation' detection rule identifies unauthorized attempts to create new user accounts, a tactic often employed by attackers to persist within a compromised system or network. This rule leverages Elastic's EQL (Event Query Language) to monitor for specific process executions associated with account creation, particularly focusing on the command line usage of `net.exe` and its arguments indicative of adding users. Generated alerts are grouped by analyzing various endpoint data sources like Winlogbeat, Sysmon logs, and logs from security products such as Microsoft Defender, CrowdStrike, and Elastic Endgame. The risk is assessed as low, although the presence of such activity warrants thorough investigation due to its potential as a precursor to further malicious actions. Investigative steps include examining the process execution chain, verifying the legitimacy of the user performing the action, and ensuring that newly created accounts have not been granted elevated permissions. Addressing false positives is also essential since legitimate administrative tasks often overlap with these indicators. In case of confirmed malicious activity, incident response protocols should be initiated, encompassing remediation measures such as isolating affected hosts and resetting potentially compromised credentials.