Hello all, I have a service account (Account_AB) that should only log into a particular server (Server_A). We are getting AD logs into our Splunk instance. How would I go about setting an alert to notify if Account_AB logs into any other device other than Server_A? Thanks in advance.
First, you need to find out which fields are relevant for your search. Search for logins by Account_AB in Splunk and have a look at the available fields. Relevant fields might be EventCode, Account_Name, Workstation_Name...
If you are using the Windows Add-on then there should be standardized CIM fields available like tag, user and src.
Now create a search to find login events by Account_AB from systems other than Server_A:
index=* source="WinEventLog:Security" tag=authentication action=success user="Account_AB" src!="Server_A"
Now save this search as an alert and have the trigger condition "Number of Results is greater than 0".