Account deleted query

cyber_Maddy · ‎10-26-2021

| datamodel "Change_Analysis" "Account_Management" search | where 'All_Changes.tag'="delete" AND 'All_Changes.user'!="*$*" | stats values(All_Changes.result) as "signature",values(All_Changes.src) as "src",values(All_Changes.dest) as "dest", values(All_Changes.user) as "users", DC(All_Changes.user) as user_count by "All_Changes.Account_Management.src_user" | rename "All_Changes.Account_Management.src_user" as "src_user","All_Changes.user" as "user"

I am using this query to monitor for Account Deleted- But all the time I am getting this alert triggered for the computer account ending with $ symbol

Ex: XYZLAPTOP$ , ABCLAPTOP$ etc

I have added the search where 'All_Changes.tag'="delete" AND 'All_Changes.user'!="*$*""

How can I exclude this $ symbol account from the report? Can any one please help

cyber_Maddy · ‎10-27-2021

I need to exclude the computer account ends with $, with the above query I am getting the result including computer account $. Can anyone please help me with this search query?

Account deleted query

field extraction

search job inspector

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Account deleted query

field extraction

search job inspector

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES