https://community.splunk.com/t5/Alerting/windows-user-ending-in/m-p/582612#M13438 <P>AIUI, names ending with $ are system accounts and can be ignored.</P> Wed, 26 Jan 2022 21:21:06 GMT richgalloway 2022-01-26T21:21:06Z https://community.splunk.com/t5/Alerting/windows-user-ending-in/m-p/582591#M13437 <P>I have created a windows level brute force attack alert to alert me when X number of authentication failures occur in a 15 min interval.</P><P>sometimes I see an alert where the user is the same hostname but ends in the <STRONG>$</STRONG> sign</P><P>I have searched the windows documentation but it is not completely clear to me, could someone give me their opinion on what it is, if it is relevant or a false positive.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunkcol_0-1643220561002.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17689iC9B030D659FD2DF0/image-size/large?v=v2&amp;px=999" role="button" title="splunkcol_0-1643220561002.png" alt="splunkcol_0-1643220561002.png" /></span></P><P>&nbsp;</P><P>tnx</P> Wed, 26 Jan 2022 18:10:58 GMT https://community.splunk.com/t5/Alerting/windows-user-ending-in/m-p/582591#M13437 splunkcol 2022-01-26T18:10:58Z https://community.splunk.com/t5/Alerting/windows-user-ending-in/m-p/582612#M13438 <P>AIUI, names ending with $ are system accounts and can be ignored.</P> Wed, 26 Jan 2022 21:21:06 GMT https://community.splunk.com/t5/Alerting/windows-user-ending-in/m-p/582612#M13438 richgalloway 2022-01-26T21:21:06Z https://community.splunk.com/t5/Alerting/windows-user-ending-in/m-p/582619#M13439 <P>In AD computer accounts end with dollar sign. So you probably have your computers named after primary users.</P> Wed, 26 Jan 2022 22:01:28 GMT https://community.splunk.com/t5/Alerting/windows-user-ending-in/m-p/582619#M13439 PickleRick 2022-01-26T22:01:28Z https://community.splunk.com/t5/Alerting/windows-user-ending-in/m-p/582811#M13440 <P>Or those could be a managed service accounts&nbsp;<A href="https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview" target="_blank">https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview</A></P><P>In that case you probably should check those?</P><P>r. Ismo</P> Thu, 27 Jan 2022 18:39:42 GMT https://community.splunk.com/t5/Alerting/windows-user-ending-in/m-p/582811#M13440 isoutamo 2022-01-27T18:39:42Z https://community.splunk.com/t5/Alerting/windows-user-ending-in/m-p/582935#M13441 <P>As there are divided opinions, I prefer that it be the client who decides</P><P>thanks to all</P><P>&nbsp;</P><P>"<EM>Next we filter out the domains that we are expecting to see. Controversially, we are also ignoring accounts that end in a dollar sign, which will typically occur from server accounts. This is a problematic assumption, as there's nothing to keep attackers from using dollar sign usernames for their own purposes -- as you mature this detection, try to move away from this limitation.</EM>"</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunkcol_0-1643381137431.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17743iA2FC2193F23953FC/image-size/large?v=v2&amp;px=999" role="button" title="splunkcol_0-1643381137431.png" alt="splunkcol_0-1643381137431.png" /></span></P><P><A href="https://docs.splunksecurityessentials.com/content-detail/user_login_local_credentials/" target="_blank">https://docs.splunksecurityessentials.com/content-detail/user_login_local_credentials/</A></P> Fri, 28 Jan 2022 14:47:53 GMT https://community.splunk.com/t5/Alerting/windows-user-ending-in/m-p/582935#M13441 splunkcol 2022-01-28T14:47:53Z