Solved: Creating an alert for service account log in

Splunk1 · ‎12-21-2020

Hi,

We have a service account svc_account, that should log into certain servers (Server1, Server2, Server 3). How would we create an alert to notify if svc_account logs into a server other than Server1, Server2, Server 3? Thank you for your help.

richgalloway · ‎12-21-2020

Almost. Use this, instead.

source="WinEventLog:Security" EventCode="4624" user="svc_account" NOT (src="Server1" OR src="Server2" OR src="Server3")

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-21-2020

Assuming all servers report logins to Splunk, creating an alert is as easy as searching for a login event by svc_account on any server that is not Server1, Server2, or Server3. Save that search as an alert and schedule it as desired.

---
If this reply helps you, Karma would be appreciated.

Splunk1 · ‎12-21-2020

So I can do something like this:

source="WinEventLog:Security" EventCode="4624" user="svc_account" src!="Server1" OR "Sever2" OR "Server3"

richgalloway · ‎12-21-2020

Almost. Use this, instead.

source="WinEventLog:Security" EventCode="4624" user="svc_account" NOT (src="Server1" OR src="Server2" OR src="Server3")

---
If this reply helps you, Karma would be appreciated.

Creating an alert for service account log in

alert action

alert condition

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout