Splunk Enterprise Security

User internal_monitoring Attempt to Login?

morethanyell
Contributor

I am investigating on a Geographically Improbable Access notable event. The user internal_monitoring is detected to have successfull logons in 2 different countries. How is this possible? Isn't internal_monitoring a daemon/background process and isn't something that a "human" can use to login?

Please advice. Thanks a lot!

0 Karma

sulakshanaarora
New Member

Hi,

Facing something similar, what was your finding?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!