I want to add a filter to the existing Suspicious - User Login from Multiple Hosts rule such that it ignores activity by service accounts. As these end in a $, I think what I need is this:
Am I barking completely up the wrong tree?
Solved! Go to Solution.
Add a dynamic watchlist for users ending with a dollar
and then in the source user field in the correlation rule configure
"not in" the "users ending with a dollar"- watchlist