Getting Data In

Best way to Filter Windows Events before Indexing?



We're seeing may Events with EventCode 4624 and 4634 with Account_Name ending with $ sign. Is there any value for it in Security logs OR we can filter them Out?

0 Karma


Account names ending with a $ are usually reloated to computer identities

From a security perspective, it is very important to keep related events along with standard user activity as there are many ways to act as the computer system once it has been compromised (psexec, etc.) If you filter those events, you will be partially blind when monitoring possible attacks.

0 Karma


I can't answer whether there is a need for them, but others do filter out these computer accounts:

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...