Some MSSQL instance by default using “Network Service” to start MSSQL service. It will automatically generate both successful and failure logon from this account. It is advise not to explicit grant database permission to this service account, and monitoring other privilege account with database access.
When I try to search it in Splunk, nothing comes out!! According to Splunk, Event Code 4662 is too noisy, and Splunk gives an example to filter all Event Code 4662. I realize I use the sample inputs.conf from Splunk. Below is snippet of default inputs.conf.
It took me a couple of days trying many combination of inputs.conf, and finally I figure out the correct syntax.
Basically, the honey detection strategies and actual implementations are based on what you are trying to detect, your assumptions and the risk your organization can accept. I saw many organization refuse to consider any kind of honeypot including virtual honeypot due to they think the risk are too high. So, what is something attractive to an attacker and also benefit to us as defender ?