Hi All, we're tuning the Splunk App for Enterprise Security setup for one Customer and we're experiences a LOT of Notable Events for Correlational Search "Default account activity detected"generated also for not default user accounts, but for regular user accounts.
It seems that the "default_user_accounts" macro invoked by the rule doesn't look in the identity.csv file for default users, but in another "identities_expanded.csv" lookup file. The online docs for Splunk app for ES 2.4 mention a postprocess search that generate this csv but I could't find it.
Any idea on how to clean and set the default account detection correctly?
regards, Marco