Alerting
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: Query Help
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Query Help
jasonballard
Explorer
11-24-2020
02:47 PM
I have been tasked with writing Queries for the following and I am not sure how to go about it:
Detection / Event Name | Event Description |
Master Password Use | The master password used to access the backend vault was used |
Backend Vault Built in Admin Use | The built-in admin account on the backend vault was used |
Sssd.conf modified on linux server | The sssd.conf file was modified on a linux server |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jasonballard
Explorer
11-25-2020
11:57 AM
So for the Master Password use, I think I could check the palog. if I go to C:\users\administrator\roaming\cyberark\privateark and check palog, I see entries like: "user master is working with vault prod with x records per send"
As for the Backend Vault Built in Admin Use. That may be something we need to configure the Safe to send out notifications on use and you can trigger off of that email that is sent out.
for sssd.conf, (this is the one I know the least about) I am thinking I need to reach out to our unix/linux group and see if they have any monitoring on those files, and if they do not, we may be able to set something up like the solution for the backend vault built in admin use to send out an email when cyberark changes it. (But I am not 100% on this one.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
11-26-2020
01:55 AM
- If a characteristic term appears in the log, you can just search for it.
e.g. "user master is working " - Now you can also search the output results.
e.g. send out notifications
It is possible to make a query if you have a sample of the log and a description of the source type, etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
11-24-2020
03:54 PM
First, you need to check which logs and source types are supported for each item.
Can you present here a sample of the corresponding logs in case of detection?
I've never done it before.
Can you tell by looking at /var/log/sssd/sssd_pam.log?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
11-24-2020
03:19 PM
What data do you have regarding these events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jasonballard
Explorer
11-24-2020
03:20 PM
I was told to base them on "Privileged Access Management (PAM) logs"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
11-24-2020
03:21 PM
Are those logs already in splunk? Can you provide some sample events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jasonballard
Explorer
11-24-2020
03:29 PM
LIke this?
| `tstats` count from datamodel=Authentication.Authentication by _time,Authentication.action span=10m | timechart minspan=10m useother=`useother` count by Authentication.action | `drop_dm_object_name("Authentication")`
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
11-24-2020
03:35 PM
Does any of this data represent the events you are looking for?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jasonballard
Explorer
11-24-2020
03:41 PM
To be honest, I am not sure where to start on this. This is my second week in this role.
The email from my boss said "If you have the cycles, below there are a list of use cases for creating alerts based on Privileged Access Management (PAM) logs. Could you give it a go today and tomorrow to see if you can leverage Splunk to find queries that can be used as correlative rules to detect these use cases?
Detection / Event Name | Event Description |
Master Password Use | The master password used to access the backend vault was used |
Backend Vault Built in Admin Use | The built-in admin account on the backend vault was used |
Sssd.conf modified on linux server | The sssd.conf file was modified on a linux server |
Get Updates on the Splunk Community!
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
