Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Access dashboards

The Access dashboards monitor authentication attempts to network devices, endpoints, and applications. These dashboards are useful for detecting malicious authentication attempts, as well as identifying what systems users have accessed either in an authorized or unauthorized manner.

Access Center

The Access Center dashboard provides a summary of all authentication events in your environment. This summary is useful for identifying security incidents involving authentication attempts such as brute-force attacks or the use of clear text passwords, or for identifying authentications to certain systems in off-hours.

Es-AccessCenterDashboard 3.0.png

Use the filtering options at the top of the screen to limit which events are shown. Click chart elements or table rows on this dashboard to display the raw events.

Relevant data sources

Relevant data sources for this dashboard include login information, access information from firewalls, authentication information, and default account activity information.

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to the Authentication data model. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

3. Tag the data with "authentication" and "notable".

Dashboard description

Access Center dashboard data is derived from the Authentication data model and accelerated automatically. To verify that authentication data is present, use this search:

 | datamodel Authentication Authentication search

To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):

 | tstats summariesonly=true count from datamodel=Authentication by user

For more information on distributed namespaces, see "Verify that a data model namespace exists" in the troubleshooting section of this manual. See "Tscollect" and "Data Model" in the Splunk Search Reference Manual for more information about data models and namespaces.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s) sourcetype=<your_sourcetype_for_your_data> Returns data from your network device(s).
Verify that access data is indexed in Splunk tag=authentication OR tag=malware OR tag=attack OR tag=notable
or | datamodel Authentication Authentication search
Returns all access data from your device(s)
Verify that authentication data is normalized to the Common Information Model properly | datamodel Authentication Authentication search | table sourcetype action app src src_user dest user Returns a list of events and the specific access activity fields of data populated from your device(s)

Additional Information

For more information about using the Access Center, see "Access Center dashboard" in the Splunk App for Enterprise Security User Manual.

Access Tracker

The Access Center dashboard provides an overview of accounts that are newly active or newly inactive, including accounts that have been inactive for a period of time and recently became active again.

Es-AccessTrackerDashboard24-1.png Es-AccessTrackerDashboard24 2.png

Need a new screen shot with better data

Use the filtering options at the top of the screen to limit which events are shown. Clicking chart elements or table rows on this dashboard will display the raw events that are represented.

The Splunk App for Enterprise Security also includes correlation searches for accounts that have been active for a long period, or inactive accounts that become active. These correlation searches create notable events that show up in the Incident Review dashboard.

Relevant data sources

Access logs from operating systems, databases, and networking equipment are sources for the Access Tracker. Other sources can be applicable as well, such as application logs or building access logs. To determine if a source is relevant, review the fields in the Data Source Integration Manual for applicability.

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to Authentication data model. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

3. Tag the data with "authentication".

Dashboard description

Access Tracker dashboard data is derived from the Authentication data model and accelerated automatically. To verify that authentication data is present, use this search:

 | datamodel Authentication Authentication search

To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):

 | tstats summariesonly=true count from datamodel=Authentication by user

For more information on distributed namespaces, see "Verify that a data model namespace exists" in the troubleshooting section of this manual. See "Tscollect" and "Data Model" in the Splunk Search Reference Manual for more information about data models and namespaces.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s) sourcetype=<your_sourcetype_for_your_data> Returns data from your network device(s).
Verify that access data is indexed in Splunk tag= authentication
or | datamodel Authentication Authentication search
Returns all access data from your device(s)
Verify that authentication data is normalized to the Common Information Model properly | datamodel Authentication Authentication search | table sourcetype, action, app, src, src_user, dest, user Returns a list of events and the specific default account activity fields of data populated from your device(s)

Additional information

For more information about using the Access Tracker, see "Access Tracker dashboard" in the Splunk App for Enterprise Security User Manual.

Access Search

The Access Search dashboard is used to search for specific authentication-related events. Access Search is similar to the normal Splunk search dashboard, but provides an additional search filters that helps to search for authentication events.

Es-Access SearchDashboard 3.0.png

Use the filtering options at the top of the screen to limit which events are shown. Click on an event in the top panel to open the raw search.

Relevant data sources

Relevant data sources for the Access Search dashboard include access logs from operating systems, databases, and networking equipment. Other sources can be applicable as well, such as application logs or building access logs. To determine if a source is relevant, review the fields in the Data Source Integration Manual for applicability.

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to the Authentication data model. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

3. Tag the data with "authentication" and "notable".

Dashboard description

Access Search dashboard data is derived from the Authentication data model and accelerated automatically. To verify that authentication data is present, use this search:

 | datamodel Authentication Authentication search

To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):

 | tstats summariesonly=true count from datamodel=Authentication by user

For more information on distributed namespaces, see "Verify that a data model namespace exists" in the troubleshooting section of this manual. See "Tscollect" and "Data Model" in the Splunk Search Reference Manual for more information about data models and namespaces.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s) sourcetype=<your_sourcetype_for_your_data> Returns data from your network device(s).
Verify that access data is indexed in Splunk tag=authentication
or | datamodel Authentication Authentication search
Returns all data from your device(s)
Verify that authentication data is normalized to the Common Information Model properly | datamodel Authentication Authentication search | table sourcetype action app src src_user dest user Returns a list of events and the specific activity fields of data populated from your device(s)

Additional Information

For more information about using the Access Search dashboard, see "Access Search dashboard" in the Splunk App for Enterprise Security User Manual.

Account Management

The Account Management dashboard shows changes to user accounts, such as account lockouts, newly created accounts, disabled accounts, and password resets.

Es-AccountManagementDashboard 3.0.png

Use the filtering options at the top of the screen to limit which events are shown. Click on chart elements or table rows to display the raw events represented.

Relevant data sources

Relevant data sources for the Account Management dashboard include access logs from operating systems, databases, and networking equipment. Other sources can be applicable as well, such as application logs or building access logs. To determine if a source is relevant, review the fields in the Data Source Integration Manual for applicability.

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to the Change Analysis data model. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

3. Tag the data with "account" AND ("management" OR "lockout")

Dashboard description

Account Management dashboard data is derived from the Change_Analysis data model and accelerated automatically. To verify that authentication data is present, use this search:

 | datamodel Change_Analysis Account_Management search

To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):

 | tstats summariesonly=true count from datamodel=Change_Analysis by user

For more information on distributed namespaces, see "Verify that a data model namespace exists" in the troubleshooting section of this manual. See "Tscollect" and "Data Model" in the Splunk Search Reference Manual for more information about data models and namespaces.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s) sourcetype=<your_sourcetype_for_your_data> Returns data from your network device(s).
Verify that access data is indexed in Splunk tag=authentication tag=account AND (management OR lockout)
or | datamodel Change_Analysis Account_Management search
Returns all data from your device(s)
Verify that account management data is normalized to the Common Information Model properly | datamodel Change_Analysis Account_Management search | table signature src src_nt_domain_src_user dest dest_nt_domain user Returns a list of events and the specific account management fields of data populated from your device(s)

Additional Information

For more information about using the Account Management dashboard, see "Account Management dashboard" in the Splunk App for Enterprise Security User Manual.

Default Account Activity

The Default Account Activity dashboard shows activity on "default accounts", that is, out-of-the-box accounts that are enabled by default on various systems, including network infrastructure devices, databases, and applications. Default accounts have well-known passwords and are often not disabled properly when the system is deployed.

In addition, you may need to monitor or investigate authorized use of a default account. Many security policies require that default accounts be disabled. When security policies allow the use of default accounts, it is important to make sure that the password has been changed from the default. Abnormal or non-compliant behavior can indicate security threats or policy violations. If your organization has a policy restricting default accounts, make sure to monitor this dashboard on a regular basis.

Es-default account activity dash.png

Use the filtering options at the top of the screen to limit which events are shown. You can configure new data inputs through Splunk Settings, or manage the list of default accounts through Enterprise Security Configuration. Default accounts are those that have a category of 'default' in the Identities table.

Clicking chart elements or table rows on this dashboard displays the raw events that are represented.

Relevant data sources

Relevant data sources for the Default Account Activity dashboard include out-of-the-box accounts that are enabled by default on various systems, including network infrastructure devices, databases, and applications.

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to the Authentication data model. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

3. Tag the data with "account" AND "local" AND ("default" OR "privileged").

4. Add any default accounts to the your identity table.

5. Set the category field to default in the your identity table for each account that is considered a default account.

6. [Optional] Set the business unit field bunit in the Identity table to the appropriate business unit for each account that is considered a default account. Typically, default accounts are not assigned to a specific business unit, since default accounts are not associated with a specific individual.

Report description

Access Center dashboard data is derived from the Authentication data model and accelerated automatically. To verify that authentication data is present, use this search:

 | datamodel Authentication Default_Authentication search

To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):

 | tstats summariesonly=true count from datamodel=Authentication by user

For more information on distributed namespaces, see "Verify that a data model namespace exists" in the troubleshooting section of this manual. See "Tscollect" and "Data Model" in the Splunk Search Reference Manual for more information about data models and namespaces.

Useful searches / Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s) sourcetype=<your_sourcetype_for_your_data> Returns data from your network device(s).
Verify that access data is indexed in Splunk tag=account AND local AND (default OR privileged) Returns all tagged default account activity data from your device(s)
Verify that access attempts for default users are returned | datamodel Authentication Default_Authentication search Returns a list of all default account activity
Verify that authentication data is normalized to the Common Information Model properly | datamodel Authentication Default_Authentication search | table sourcetype action app src src_user dest user Returns a list of events and the specific default account activity fields of data populated from your device(s)

Additional information

For more information about using the Default Account Activity dashboard, see "Default Account Activity dashboard" in the Splunk App for Enterprise Security User Manual.

Last modified on 23 January, 2014
PREVIOUS
Security Domains
  NEXT
Endpoint dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters