This detection rule focuses on identifying the creation of local user accounts on Windows servers. In a well-structured Active Directory (AD) environment, local user accounts should not be created, as user management is typically centralized through AD. The rule applies specifically to Windows security logs and looks for the Event ID 4720, which corresponds to the event of creating a new user account. The rule is relevant for preventing unauthorized access and maintaining security compliance by ensuring that only authorized personnel can modify user accounts. It is important to note that this rule should not be applied to Domain Controller (DC) logs, where local account changes are expected to occur as part of routine administrative tasks. False positives include legitimate local account creations that may occur through privileged account management tools or incorrectly analyzed logs from Domain Controllers. This rule can help in adherence to security policies and better governance in Windows environments by flagging suspicious account creation activities.