Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Access dashboards

The Access Protection domain monitors authentication attempts to network devices, endpoints, and applications within the organization. Access Protection is useful for detecting malicious authentication attempts as well as identifying what systems users have accessed either in an authorized or unauthorized manner.

Access Center dashboard

The Access Center provides a summary of all authentication events. This summary is useful for identifying security incidents involving authentication attempts such as brute-force attacks, or the use of clear text passwords, or for identifying authentications to certain systems in off-hours.

Use the filtering options at the top of the screen to limit which events are shown. Configure new data inputs through the Settings menu, or manage the list of privileged accounts through Enterprise Security Configuration.

Es-AccessCenterDashboard.png

Clicking chart elements or table rows on this page will display the raw events that are represented. See dashboard drilldown for more information. The following table describes the panels for this dashboard.

Panel Description
Dashboard filter Restricts the view on the current dashboard to events that match the selected criteria. Selections apply to the current dashboard only. The following special filter is available:
  • Show only privileged access: restricts the view to events related to privileged access. Any account that is known to have administrator or super-user access is considered privileged (such as root or administrator accounts). This list of accounts can be configured using the asset list; see the Enterprise Security Installation and Configuration Manual for more information.

See descriptions of the standard filter options.

Notable Access Events Displays notable events by type and overall percentage relative to total number of access events. Notable access events are events such as: the detection of default accounts, brute-force behavior, and so on.
Access Over Time This chart provides a summary count of authentication events over time by either action or by the application that performed the authentication. For example, "win:local" refers to the local authentication performed on a Windows system (using the keyboard) and "win:remote" refers to a remote API (such as telnet).
Top Access This table provides the systems with the most access events by source (devices that accessed other devices on the network most frequently) or by destination (devices that were most frequently accessed). This table is useful for detecting brute force attacks, since devices that repeatedly attempt to authenticate are at the top of the list.
Unique Access This table lists the sources that generated the most authentication events by unique user, destination, or application. This table is useful for detecting brute force attacks:
* Attacks that target a single account across any number of hosts, will show a high number of destinations accessed.
* Attacks that target a single system with a high number of authentication attempts, will show a high number of users.

Access Tracker dashboard

The Access Tracker dashboard gives an overview of accounts that are newly active or newly inactive, including accounts that have been inactive for a period of time and recently became active again. It is not uncommon for accounts to incorrectly remain on the system when a user leaves the organization. These accounts are often vulnerable to attackers. It is a good idea to check this dashboard on a regular basis per the enterprise security policy to see inactive accounts. In addition, a security analyst may use this dashboard during an investigation to identify suspicious accounts and look more closely at what those users have been doing.

Es-AccessTrackerDashboard22 1.png Es-AccessTrackerDashboard22 2.png

In addition to this dashboard, the Splunk App for Enterprise Security includes correlation searches for accounts that have been active for a long period, or inactive accounts that become active. These correlation searches create notable events that are displayed in the Incident Review dashboard.

The following table describes the panels for this dashboard. Drilldown is available for graphs and tables. See dashboard drilldown for more information.

Panel Description
Dashboard filter Restricts the view on the current dashboard to events that match the selected criteria. Selections apply to the current dashboard only. See descriptions of the standard filter options.
First Time Account Access Summarizes activity for all accounts that were first accessed within the specified time frame (default = 30 days). Use this panel to verify that new account usage follows normal patterns or to locate accounts that look incorrect.
Inactive Account Usage Displays accounts that were inactive for a period of time, but that have shown recent activity. These accounts may have been successfully attacked.
Completely Inactive Accounts Displays accounts that have shown no activity in the time specified (default = 90 days). Use this panel to identify accounts that should be deleted from the system - for example, accounts that belong to people who have left the organization. If the organization has a policy that requires password change after a specified interval, then accounts that have shown no activity for more than that interval are known to be inactive.
This panel also indicates the effectiveness of the enterprise's policy for closing accounts. If there are a large number of inactive accounts, the process may need to be reviewed.
Account Usage for Expired Identities Summarizes activity for all accounts that are marked terminated within the specified time frame (default = 30 days). Use this panel to verify that accounts that should no longer have activity are not being used.

Access Search dashboard

The Access Search dashboard is used to search for specific authentication-related events. Access Search is similar to the normal Splunk search dashboard, but provides an additional search filters that helps to search for authentication events. There are two ways to get here: by selecting directly from the menu or as part of a workflow from other parts of the application. Coming from another part of the application, certain fields will be pre-populated in the search, although in some cases there may be a reason to move a value to a different field (for example, to search on an IP as a dest rather than a src).

Es-Access SearchDashboard22.png

The following filter options are available:

Filter Description
Action Sets whether to see successes or failures; leave blank to see all actions
App Sets a specific access method; leave blank to see all access methods
Source Specifies a string that the source must match
Source user Specifies a string that the source user must match
Destination Specifies a string that the destination must match
User Specifies a string that the user must match
Business unit Specifies the business unit that the search must match
Category Specifies the category (from a drop-down list) that the search must match
Search Specifies the type of search the search must match
Time range Specified the time range (from a drop-down list) that the search must match

Correlate with other domains

To get more information about a host involved in an event, right-click on the down arrow next to the field value at the bottom of the event.

Account Management dashboard

The Account Management dashboard shows changes to user accounts, such as account lockouts, newly created accounts, disabled accounts, and password resets. Use this dashboard to verify that accounts are being administered correctly and that administration privileges for each type of account are restricted to the correct users and roles. A sudden increase in the number of accounts created, modified, or deleted can mean a rogue system or malicious behavior. A high number of account lockouts may indicate an attack.

Use the filtering options at the top of the screen to limit which events are shown. Configure new data inputs through the Settings menu, or manage the list of privileged accounts through Enterprise Security Configuration.

Es-AccountManagementDashboard22 1.png Es-AccountManagementDashboard22 2.png

Click on chart elements or table rows to display the raw events that are represented. See dashboard drill-down for more information.

The following table describes the panels for this dashboard.

Panel Description
Dashboard filter Restricts the view on the current dashboard to events that match the selected criteria. Selections apply to the current dashboard only. The following special filter is available:
  • Show only privileged access: Restricts the view to events related to privileged access. Any account that is known to have administrator or super-user access is considered privileged (such as root or administrator accounts). This list of accounts can be configured using Configure > Lists and Lookups > Default Accounts. See the Installation and Configuration Manual and descriptions of the standard filter options for more information.
Account Management by Time Shows all user account management events over time. For example, a spike in lockout events may indicate a brute-force attack.
Account Lockouts Shows all account lockouts including the number of authentication attempts per account. Brute-force attacks generally show up as multiple locked-out accounts, often using default account names like "administrator" or "root".
Account Management by Source User Tracks the total account management activity by source user and shows the source users with the most account management events. The source user is the user that performed the account management event, rather than the user that was affected by the event. For example, if user "John.Doe" creates an account "Martha.Washington", then "John.Doe" is the source user.

This panel helps identify accounts that should not be managing other accounts and shows spikes in account management events, such as the deletion of a large number of accounts.

Top Account Management Events The Top Account Management Events panel shows the most frequent management events in the specified time period.
Recent Account Management Summarizes all account management events in the past 60 minutes. This panel can be useful during an investigation.

Default Account Activity dashboard

The Default Account Activity dashboard shows activity on "default accounts", that is, out-of-the-box accounts that are enabled by default on various systems, including network infrastructure devices, databases, and applications. Default accounts have well-known passwords and are often not disabled properly when the system is deployed.

In addition, there may be a need to monitor or investigate authorized use of a default account. Many security policies require that default accounts be disabled. When security policies allow the use of default accounts, it is important to make sure that the password has been changed from the default. Abnormal or deviant behavior can indicate security threats or policy violations. If the organization has a policy restricting default accounts, make sure to monitor this dashboard on a regular basis.

Es-DefaultAccountActivityDashboard22.png

The following table describes the panels for this dashboard. Drilldown is available for graphs and tables. See dashboard drilldown for more information.

Panel Description
Dashboard filter Restricts the view on the current dashboard to events that match the selected criteria. Selections apply to the current dashboard only. See descriptions of the standard filter options.
Default Account Usage by Time Shows default account activity on all systems and applications within the infrastructure in the selected time frame. Accounts are shown by the number of successful login attempts and when the last attempt was made. Use this chart to identify spikes in default account login activity, which may indicate a security incident as well as to determine whether default account use is common (for example, a daily event) or rare.
Default Accounts in Use Shows all default user accounts with a high number of login attempts on different hosts, including the last attempt made. Abnormal default user account activity that could indicate a security threat. Also helps ensure that default account behavior matches the security policy.
Default Local Accounts Lists all default accounts that are active on the enterprise systems, including accounts "at rest". Any default accounts that are available are listed, regardless of whether the account was actually used. Only those accounts that were detected on a local system - for example, by examining the users list on a host - are included in this list.
Last modified on 27 April, 2015
Protocol Intelligence dashboards   Endpoint dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters