https://community.splunk.com/t5/Splunk-Search/CIM-Authentication-data-model/m-p/679367#M232242 <P>Hello,</P><P>I would like to know the aim of this default constraint :</P><DIV class=""><DIV class=""><DIV class=""><SPAN class="">(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)</SPAN></DIV></DIV></DIV><DIV class=""><DIV class=""><SPAN class="">action="success"</SPAN></DIV><DIV class="">&nbsp;</DIV><DIV class=""><SPAN class="">Especially what does it try to match with user=*$ ? User accounts ending with $ symbol like in Windows?</SPAN></DIV><DIV class="">&nbsp;</DIV><DIV class=""><SPAN class="">Thanks.</SPAN></DIV><DIV class="">&nbsp;</DIV></DIV> Sat, 02 Mar 2024 09:46:58 GMT splunkreal 2024-03-02T09:46:58Z https://community.splunk.com/t5/Splunk-Search/CIM-Authentication-data-model/m-p/679367#M232242 <P>Hello,</P><P>I would like to know the aim of this default constraint :</P><DIV class=""><DIV class=""><DIV class=""><SPAN class="">(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)</SPAN></DIV></DIV></DIV><DIV class=""><DIV class=""><SPAN class="">action="success"</SPAN></DIV><DIV class="">&nbsp;</DIV><DIV class=""><SPAN class="">Especially what does it try to match with user=*$ ? User accounts ending with $ symbol like in Windows?</SPAN></DIV><DIV class="">&nbsp;</DIV><DIV class=""><SPAN class="">Thanks.</SPAN></DIV><DIV class="">&nbsp;</DIV></DIV> Sat, 02 Mar 2024 09:46:58 GMT https://community.splunk.com/t5/Splunk-Search/CIM-Authentication-data-model/m-p/679367#M232242 splunkreal 2024-03-02T09:46:58Z https://community.splunk.com/t5/Splunk-Search/CIM-Authentication-data-model/m-p/679369#M232243 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/171872">@splunkreal</a>,</P><P><SPAN>user names ending with $ are windows service accounts and usually they aren't relevant in authentication monitoring.</SPAN></P><P><SPAN>Ciao.</SPAN></P><P><SPAN>Giuseppe</SPAN></P> Sat, 02 Mar 2024 11:43:50 GMT https://community.splunk.com/t5/Splunk-Search/CIM-Authentication-data-model/m-p/679369#M232243 gcusello 2024-03-02T11:43:50Z https://community.splunk.com/t5/Splunk-Search/CIM-Authentication-data-model/m-p/679374#M232244 <P>As far as I remember, there are two kinds of account that have names ending with $ (in Windows - for other systems it's highly unlikely that there will be an account named this way; but it would be nice to account for that) - Managed Service Accounts (which <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a> already mentioned) and computer accounts. Both of those account types are authenticated without using interactive authentication modes so they're irrelevant to the events you're looking for in this dataset.</P> Sat, 02 Mar 2024 13:42:10 GMT https://community.splunk.com/t5/Splunk-Search/CIM-Authentication-data-model/m-p/679374#M232244 PickleRick 2024-03-02T13:42:10Z