I see dashboard in ES 4.1.1 aka "Default Account Activity", but he shows activity of all accounts.
How to detect Default Account? Any solutions?
Maybe someone can share list of all default accounts? (I'm tried to google, but got unsatisfactory results).
By "Default Account" i mean:
"Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools."
Are you looking for the Administrative lookup of ES?
Or is it the case that all your logins are being wrongfully tagged with tag="default"?
Look at the DataSet definition
**Default Authentication** (`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$) Constraint tag="default"
Or, how to search default accounts by Splunk?
Because I see all users are listed in the results not just default accounts like admins and the like.
This behaviour is not related to that Lookup. It is actually related to how your events are arriving to Splunk and how they are tagged in the sourcetypes.
For instance if you have WinEventLog:Security, SYSTEM account is considered by the SplunkTAfor_Windows as a default account ant therefore tagged as tag=default, and so it shows up in that correlation search.
You should try to understand why are your events tagged with tag=default in one of the sourcetypes you are getting wrongful data.