The rule 'Crowdstrike New Admin User Created' is designed to detect the creation of a new user account followed by the assignment of administrative privileges to that account, which is a potential indicator of malicious activity or account compromise. This correlation rule leverages two key events: 'AccountCreated', which identifies when a new user account is created, and 'AdminRoleAssigned', which tracks the assignment of admin rights to a user. The rule alerts if both events occur within a specific timeframe (45 minutes) and under certain conditions where the 'target' and 'actor' match. Additionally, it incorporates a lookback window of 2160 minutes (36 hours), allowing detection of related events that may have occurred in the past, thus improving the likelihood of identifying malicious behavior. The rule has high severity due to the associated risks with creating administrative accounts, which can lead to unauthorized access or privilege escalation. The testing components validate true positives and false positives by simulating various scenarios involving user creation and role assignments, ensuring the rule functions as intended.