Query Help

jasonballard · ‎11-24-2020

I have been tasked with writing Queries for the following and I am not sure how to go about it:

Detection / Event Name	Event Description
Master Password Use	The master password used to access the backend vault was used
Backend Vault Built in Admin Use	The built-in admin account on the backend vault was used
Sssd.conf modified on linux server	The sssd.conf file was modified on a linux server

jasonballard · ‎11-25-2020

So for the Master Password use, I think I could check the palog. if I go to C:\users\administrator\roaming\cyberark\privateark and check palog, I see entries like: "user master is working with vault prod with x records per send"

As for the Backend Vault Built in Admin Use. That may be something we need to configure the Safe to send out notifications on use and you can trigger off of that email that is sent out.

for sssd.conf, (this is the one I know the least about) I am thinking I need to reach out to our unix/linux group and see if they have any monitoring on those files, and if they do not, we may be able to set something up like the solution for the backend vault built in admin use to send out an email when cyberark changes it. (But I am not 100% on this one.)

to4kawa · ‎11-26-2020

If a characteristic term appears in the log, you can just search for it.
e.g. "user master is working "
Now you can also search the output results.
e.g. send out notifications

It is possible to make a query if you have a sample of the log and a description of the source type, etc.

to4kawa · ‎11-24-2020

First, you need to check which logs and source types are supported for each item.

Can you present here a sample of the corresponding logs in case of detection?

I've never done it before.
Can you tell by looking at /var/log/sssd/sssd_pam.log?

ITWhisperer · ‎11-24-2020

What data do you have regarding these events?

jasonballard · ‎11-24-2020

I was told to base them on "Privileged Access Management (PAM) logs"

ITWhisperer · ‎11-24-2020

Are those logs already in splunk? Can you provide some sample events?

jasonballard · ‎11-24-2020

LIke this?

| `tstats` count from datamodel=Authentication.Authentication by _time,Authentication.action span=10m | timechart minspan=10m useother=`useother` count by Authentication.action | `drop_dm_object_name("Authentication")`

ITWhisperer · ‎11-24-2020

Does any of this data represent the events you are looking for?

jasonballard · ‎11-24-2020

To be honest, I am not sure where to start on this. This is my second week in this role.

The email from my boss said "If you have the cycles, below there are a list of use cases for creating alerts based on Privileged Access Management (PAM) logs. Could you give it a go today and tomorrow to see if you can leverage Splunk to find queries that can be used as correlative rules to detect these use cases?

Detection / Event Name	Event Description
Master Password Use	The master password used to access the backend vault was used
Backend Vault Built in Admin Use	The built-in admin account on the backend vault was used
Sssd.conf modified on linux server	The sssd.conf file was modified on a linux server

Query Help

alert condition

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Splunk and Fraud

Build Your First SPL2 App!