topic Default Account Usage Correlation Search - All user as default in Splunk Enterprise Security

Default Account Usage Correlation Search - All user as default

support0 — Tue, 29 Sep 2020 17:11:20 GMT

Hello there,

On ES (4.7.2), the correlation search "Default Account Usage" is supposed to create notable events for default accounts as stated in its description:

"Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools."

It seems however that the correlation search does not differentiates between regular users and default accounts.

When looking at the correlation search, it does simply search into tag= auth + default data model.

| tstats summariesonly=true allow_old_summaries=true max(_time) as "lastTime",values(Authentication.tag) as "tag",count from datamodel=Authentication.Authentication where nodename=Authentication.Default_Authentication.Successful_Default_Authentication by "Authentication.dest","Authentication.user","Authentication.app" | rename "Authentication.dest" as "dest","Authentication.user" as "user","Authentication.app" as "app"

Event in Splunk Demo platform, all users are listed in the results not just default accounts like admins and the like.

I am deducing that, the CIM Authentication should be understood like this :

regular user -> tag = auth

default account -> tag = auth + default

priviledged user -> tag = auth + priviledged

Thing is :

sub dataset names are hardly explained. What is expected in these sub datasets is hard to know.
if this is the case, then most TAs should be reworked because most of them map the default tag for all authentication events (cf. Win / Nix TAs)
it seems that there was a lookup to filter default account in the previous version of ES (see : https://answers.splunk.com/answers/120628/manage-splunk-app-for-enterprise-security-default-account-recognition.html). Is there an equivalent in 4.7 version ?

Maybe identity lookup should just contain this default accounts categorized as default. But it is not done this way in the demo identity lookup, so I am not sure.

If anyone has a clue on this, it would be great!

Re: Default Account Usage Correlation Search - All user as default

micahkemp — Tue, 12 Dec 2017 01:36:32 GMT

The TAs aren't the issue in this case. Check out tags.conf in the Windows and nix TAs and you won't find any mention of setting the default tag.

What you're seeing is the ES identity management setting this tag based on the usernames.

If you look at the output of bin/splunk btool tags list --debug you'll see (at least) these entries, as provided by ES identity management:

etc/apps/Splunk_SA_CIM/default/tags.conf             [is_default=true]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

etc/apps/Splunk_SA_CIM/default/tags.conf             [src_user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

etc/apps/Splunk_SA_CIM/default/tags.conf             [user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

And if you look at the builtin identity CSVs you'll probably see some of this:

./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:3comcso,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adfexc,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adm,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:admin|administrator,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:anonymous,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adminuser,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:advmail,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bciim,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bcms,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:browse,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cisco,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cusadmin,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cust,,,,,,,,,,,,default|privileged,,,,,,,

ES is configured to set the default tag if any of the identities it has are found in the username fields it knows about are defined in your identity lookups with the default category.

Re: Default Account Usage Correlation Search - All user as default

support0 — Tue, 29 Sep 2020 17:13:30 GMT

Alright,

More clearer now.

So I usually build my TAs mapped to Authentication DM like this :

tags.conf

[eventtype=foo]
authentication = enabled
default = enabled

Thanks for making me realize that this was a bad habit!

It should be :

[eventtype=bar]
authentication = enabled

AND/OR :

[eventtype=foo]
authentication = enabled
privileged = enabled

for special authentication events for which you know its a privileged access.

For instance in Windows TA :

[windows_special_privileges]
search = sourcetype=*:Security (EventCode=4672 OR EventCode=576)

tags = authentication privileged

Then ES adds a default/privilged tag based on :

administrative_identities.csv
configured identities.csv

Thanks a lot!