Getting Data In

Best way to Filter Windows Events before Indexing?



We're seeing may Events with EventCode 4624 and 4634 with Account_Name ending with $ sign. Is there any value for it in Security logs OR we can filter them Out?

0 Karma


Account names ending with a $ are usually reloated to computer identities

From a security perspective, it is very important to keep related events along with standard user activity as there are many ways to act as the computer system once it has been compromised (psexec, etc.) If you filter those events, you will be partially blind when monitoring possible attacks.

0 Karma


I can't answer whether there is a need for them, but others do filter out these computer accounts:

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...