- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I would like to know the aim of this default constraint :
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![gcusello gcusello](https://community.splunk.com/legacyfs/online/avatars/553812.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Hi @splunkreal,
user names ending with $ are windows service accounts and usually they aren't relevant in authentication monitoring.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![gcusello gcusello](https://community.splunk.com/legacyfs/online/avatars/553812.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Hi @splunkreal,
user names ending with $ are windows service accounts and usually they aren't relevant in authentication monitoring.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
As far as I remember, there are two kinds of account that have names ending with $ (in Windows - for other systems it's highly unlikely that there will be an account named this way; but it would be nice to account for that) - Managed Service Accounts (which @gcusello already mentioned) and computer accounts. Both of those account types are authenticated without using interactive authentication modes so they're irrelevant to the events you're looking for in this dataset.
![](/skins/images/5D2DD17C284106BFBF80528D01D8AA1A/responsive_peak/images/icon_anonymous_message.png)