I have been tasked with writing Queries for the following and I am not sure how to go about it:
Detection / Event Name | Event Description |
Master Password Use | The master password used to access the backend vault was used |
Backend Vault Built in Admin Use | The built-in admin account on the backend vault was used |
Sssd.conf modified on linux server | The sssd.conf file was modified on a linux server |
First, you need to check which logs and source types are supported for each item.
Can you present here a sample of the corresponding logs in case of detection?
I've never done it before.
Can you tell by looking at /var/log/sssd/sssd_pam.log?
What data do you have regarding these events?
I was told to base them on "Privileged Access Management (PAM) logs"
Are those logs already in splunk? Can you provide some sample events?
LIke this?
| `tstats` count from datamodel=Authentication.Authentication by _time,Authentication.action span=10m | timechart minspan=10m useother=`useother` count by Authentication.action | `drop_dm_object_name("Authentication")`
Does any of this data represent the events you are looking for?
To be honest, I am not sure where to start on this. This is my second week in this role.
The email from my boss said "If you have the cycles, below there are a list of use cases for creating alerts based on Privileged Access Management (PAM) logs. Could you give it a go today and tomorrow to see if you can leverage Splunk to find queries that can be used as correlative rules to detect these use cases?
Detection / Event Name | Event Description |
Master Password Use | The master password used to access the backend vault was used |
Backend Vault Built in Admin Use | The built-in admin account on the backend vault was used |
Sssd.conf modified on linux server | The sssd.conf file was modified on a linux server |