Alerting

Can you help me create a service account log-in alert?

mekkac11
New Member

Hello all, I have a service account (Account_AB) that should only log into a particular server (Server_A). We are getting AD logs into our Splunk instance. How would I go about setting an alert to notify if Account_AB logs into any other device other than Server_A? Thanks in advance.

Tags (1)
0 Karma

whrg
Motivator

First, you need to find out which fields are relevant for your search. Search for logins by Account_AB in Splunk and have a look at the available fields. Relevant fields might be EventCode, Account_Name, Workstation_Name...

If you are using the Windows Add-on then there should be standardized CIM fields available like tag, user and src.

Now create a search to find login events by Account_AB from systems other than Server_A:

index=* source="WinEventLog:Security" tag=authentication action=success user="Account_AB" src!="Server_A"

Now save this search as an alert and have the trigger condition "Number of Results is greater than 0".

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...