Alerting

Query Help

jasonballard
Explorer

I have been tasked with writing Queries for the following and I am not sure how to go about it:

Detection / Event Name

Event Description

Master Password Use

The master password used to access the backend vault was used

Backend Vault Built in Admin Use

The built-in admin account on the backend vault was used

Sssd.conf modified on linux server

The sssd.conf file was modified on a linux server

Labels (1)
0 Karma

jasonballard
Explorer
So for the Master Password use, I think I could check the palog. if I go to C:\users\administrator\roaming\cyberark\privateark and check palog, I see entries like: "user master is working with vault prod with x records per send" 
 
As for the Backend Vault Built in Admin Use. That may be something we need to configure the Safe to send out notifications on use and you can trigger off of that email that is sent out.
 
for sssd.conf, (this is the one I know the least about) I am thinking I need to reach out to our unix/linux group and see if they have any monitoring on those files, and if they do not, we may be able to set something up like the solution for the backend vault built in admin use to send out an email when cyberark changes it. (But I am not 100% on this one.)
0 Karma

to4kawa
Ultra Champion
  • If a characteristic term appears in the log, you can just search for it.
    e.g. "user master is working "
  • Now you can also search the output results.
    e.g. send out notifications

    It is possible to make a query if you have a sample of the log and a description of the source type, etc.

 

0 Karma

to4kawa
Ultra Champion

First, you need to check which logs and source types are supported for each item.

Can you present here a sample of the corresponding logs in case of detection?

I've never done it before.
Can you tell by looking at /var/log/sssd/sssd_pam.log?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What data do you have regarding these events?

jasonballard
Explorer

I was told to base them on "Privileged Access Management (PAM) logs"

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Are those logs already in splunk? Can you provide some sample events?

jasonballard
Explorer

LIke this? 

| `tstats` count from datamodel=Authentication.Authentication by _time,Authentication.action span=10m | timechart minspan=10m useother=`useother` count by Authentication.action | `drop_dm_object_name("Authentication")`

ITWhisperer
SplunkTrust
SplunkTrust

Does any of this data represent the events you are looking for?

0 Karma

jasonballard
Explorer

To be honest, I am not sure where to start on this.  This is my second week in this role. 

The email from my boss said "If you have the cycles, below there are a list of use cases for creating alerts based on Privileged Access Management (PAM) logs.  Could you give it a go today and tomorrow to see if you can leverage Splunk to find queries that can be used as correlative rules to detect these use cases?

Detection / Event Name

Event Description

Master Password Use

The master password used to access the backend vault was used

Backend Vault Built in Admin Use

The built-in admin account on the backend vault was used

Sssd.conf modified on linux server

The sssd.conf file was modified on a linux server

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...