Hi István,
it seems that you are hitting the same point as me. Splunk records all user names of login events and therefore also catching typos and even passwords entered in the wrong field. As long as splunk is not taking only successful logons into account one should implement a regular report which takes a list of valid users (e.g. fetched with AD_ldapsearch) and drops them out of that table.
Additionally I would suggest to not run that correlation search every 5 minutes (seems like the default) but only weekly. Nobody cares wheter a user has not logged on for 90 days or for 83 days, but this takes load from your splunk.
Please let me know what you think about this.
Best regards
Lutz
... View more