Quick Question guys,
Is there any way to detect if there were any successful connection using an account called "donotuse" or other well known/built-in accounts that are not in our AD environment? Rather than seeing a failure and acting on that, it seems that if something were successful, that would be a REAL security issue. Any insight or help is GREATLY appreciated.
Assuming you already log successful connections, you'll need to create a list of built-in account names that you can use to filter the logs against.
Hi Rich, thanks for the reply. Do you have the SPL by chance that will look for successful connections? I assume you are referring to creating a lookup table list that contains built-in accounts that I can bounce my query off of?
Yes, a lookup table should work well. The SPL will depend on where you get your connection info and how it is indexed. The Splunk Security Essentials app should have some examples, though.