Splunk Enterprise Security
Highlighted

User internal_monitoring Attempt to Login?

Contributor

I am investigating on a Geographically Improbable Access notable event. The user internalmonitoring is detected to have successfull logons in 2 different countries. How is this possible? Isn't internalmonitoring a daemon/background process and isn't something that a "human" can use to login?

Please advice. Thanks a lot!

0 Karma