Solved: Creating an alert for service account log in

Splunk1 · ‎12-21-2020

Hi,

We have a service account svc_account, that should log into certain servers (Server1, Server2, Server 3). How would we create an alert to notify if svc_account logs into a server other than Server1, Server2, Server 3? Thank you for your help.

richgalloway · ‎12-21-2020

Almost. Use this, instead.

source="WinEventLog:Security" EventCode="4624" user="svc_account" NOT (src="Server1" OR src="Server2" OR src="Server3")

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-21-2020

Assuming all servers report logins to Splunk, creating an alert is as easy as searching for a login event by svc_account on any server that is not Server1, Server2, or Server3. Save that search as an alert and schedule it as desired.

---
If this reply helps you, Karma would be appreciated.

Splunk1 · ‎12-21-2020

So I can do something like this:

source="WinEventLog:Security" EventCode="4624" user="svc_account" src!="Server1" OR "Sever2" OR "Server3"

richgalloway · ‎12-21-2020

Almost. Use this, instead.

source="WinEventLog:Security" EventCode="4624" user="svc_account" NOT (src="Server1" OR src="Server2" OR src="Server3")

---
If this reply helps you, Karma would be appreciated.

Creating an alert for service account log in

alert action

alert condition

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)