We have a service account svc_account, that should log into certain servers (Server1, Server2, Server 3). How would we create an alert to notify if svc_account logs into a server other than Server1, Server2, Server 3?Thank you for your help.
Assuming all servers report logins to Splunk, creating an alert is as easy as searching for a login event by svc_account on any server that is not Server1, Server2, or Server3. Save that search as an alert and schedule it as desired.
--- If this reply helps you, an upvote would be appreciated.