Alerting
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: Query Help
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Query Help
jasonballard
Explorer
11-24-2020
02:47 PM
I have been tasked with writing Queries for the following and I am not sure how to go about it:
Detection / Event Name | Event Description |
Master Password Use | The master password used to access the backend vault was used |
Backend Vault Built in Admin Use | The built-in admin account on the backend vault was used |
Sssd.conf modified on linux server | The sssd.conf file was modified on a linux server |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jasonballard
Explorer
11-25-2020
11:57 AM
So for the Master Password use, I think I could check the palog. if I go to C:\users\administrator\roaming\cyberark\privateark and check palog, I see entries like: "user master is working with vault prod with x records per send"
As for the Backend Vault Built in Admin Use. That may be something we need to configure the Safe to send out notifications on use and you can trigger off of that email that is sent out.
for sssd.conf, (this is the one I know the least about) I am thinking I need to reach out to our unix/linux group and see if they have any monitoring on those files, and if they do not, we may be able to set something up like the solution for the backend vault built in admin use to send out an email when cyberark changes it. (But I am not 100% on this one.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
11-26-2020
01:55 AM
- If a characteristic term appears in the log, you can just search for it.
e.g. "user master is working " - Now you can also search the output results.
e.g. send out notifications
It is possible to make a query if you have a sample of the log and a description of the source type, etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
11-24-2020
03:54 PM
First, you need to check which logs and source types are supported for each item.
Can you present here a sample of the corresponding logs in case of detection?
I've never done it before.
Can you tell by looking at /var/log/sssd/sssd_pam.log?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
11-24-2020
03:19 PM
What data do you have regarding these events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jasonballard
Explorer
11-24-2020
03:20 PM
I was told to base them on "Privileged Access Management (PAM) logs"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
11-24-2020
03:21 PM
Are those logs already in splunk? Can you provide some sample events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jasonballard
Explorer
11-24-2020
03:29 PM
LIke this?
| `tstats` count from datamodel=Authentication.Authentication by _time,Authentication.action span=10m | timechart minspan=10m useother=`useother` count by Authentication.action | `drop_dm_object_name("Authentication")`
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
11-24-2020
03:35 PM
Does any of this data represent the events you are looking for?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jasonballard
Explorer
11-24-2020
03:41 PM
To be honest, I am not sure where to start on this. This is my second week in this role.
The email from my boss said "If you have the cycles, below there are a list of use cases for creating alerts based on Privileged Access Management (PAM) logs. Could you give it a go today and tomorrow to see if you can leverage Splunk to find queries that can be used as correlative rules to detect these use cases?
Detection / Event Name | Event Description |
Master Password Use | The master password used to access the backend vault was used |
Backend Vault Built in Admin Use | The built-in admin account on the backend vault was used |
Sssd.conf modified on linux server | The sssd.conf file was modified on a linux server |
Get Updates on the Splunk Community!
SplunkTrust Application Period is Officially OPEN!
It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open!
If you ...
Splunk Answers Content Calendar, June Edition II
Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
