I have a search for after hour logins between 6pm and 6am. Right now I have event codes 4625 and 4624 with logon_type 2 and 3. This alert picks up windows automated services, but I was wondering if there was a way that I can have this search only pick up on user accounts instead of windows automated services. My search string is
index=(myindexname) source="wineventlog:security" Account_Name=* EventCode=4625 OR EventCode=4624 Logon_Type=2 OR Logon_Type=2 Logon_Process=Kerberos earliest=-7@d-6h latest=-7d@d+6h
So you want to exclude Windows automated services from the search. Is this correct? Can you tell us what differentiates a human user from a user used by automated services in your data? If not, this is not the right forum.
User accounts are used by real users, and services accounts are used by system services such as web services, databases, windows cleanup services. The search that I created shows users and automated services, but if John Doe logs in at 3am we would like to see that rather than needing to dig through splunk alerts for windows automated services.
What I am asking is: What in the data can tell whether a record is for a "real" user vs a Windows service user? What is the logic if you are looking at the data, not Splunk?