Hi.
I see dashboard in ES 4.1.1 aka "Default Account Activity", but he shows activity of all accounts.
How to detect Default Account? Any solutions?
Maybe someone can share list of all default accounts? (I'm tried to google, but got unsatisfactory results).
By "Default Account" i mean:
"Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools."
Hey
Are you looking for the Administrative lookup of ES?
/en-US/app/SplunkEnterpriseSecuritySuite/ess_lookups_edit?namespace=SA-IdentityManagement&transform=administrative_identity_lookup
Or is it the case that all your logins are being wrongfully tagged with tag="default"?
Look at the DataSet definition
**Default Authentication**
(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)
Constraint
tag="default"
That lookup have only 30+ default usernames and we don't know topicality of there names.
So, any another solutions?
In my case I am not getting a single default login
Or, how to search default accounts by Splunk?
Because I see all users are listed in the results not just default accounts like admins and the like.
This behaviour is not related to that Lookup. It is actually related to how your events are arriving to Splunk and how they are tagged in the sourcetypes.
For instance if you have WinEventLog:Security, SYSTEM account is considered by the Splunk_TA_for_Windows as a default account ant therefore tagged as tag=default, and so it shows up in that correlation search.
You should try to understand why are your events tagged with tag=default in one of the sourcetypes you are getting wrongful data.