All Apps and Add-ons

Can Splunk (using dbconnect) match McAfee Database Activity Monitor (i.e for monitoring user activity, etc.)? How?

dgersper
New Member

Some old answers exist around dbconnect and possible things coming in the future, but can we use Splunk/DBConnect to match(replace) everything that McAfee Database Activity Monitoring does?

0 Karma
1 Solution

adauria_splunk
Splunk Employee
Splunk Employee

McAfee DAM offers the ability to detect suspicious/malicious queries by monitoring them on the host itself with an agent that reads running queries from memory. It is also able to block (after a race condition, letting some data through) and quarantine malicious use/users of the system. Typical out-of-the-box rules include detection of tricky SQL injection activity, privilege escalation, and other generic and platform-specific exploits. In addition, this product also includes a scanning modules that, which I'll consider outside the scope of the question unless I hear otherwise.

As for the ability to detect malicious activity against databases in real time - YES, Splunk can do much of this. Take a look at the following apps:

DB Connect - https://splunkbase.splunk.com/app/2686/
This can be used to pull data from tables in nearly any JDBC-accessible database platform, including audit tables that would let you examine queries for malicious activity.

Oracle Add-On - https://splunkbase.splunk.com/app/1910/
Includes a number of very useful queries for monitoring user activity, works with DB Connect

MS SQL Add-On - https://splunkbase.splunk.com/app/2648/
Includes a number of very useful queries for monitoring user activity, works with DB Connect

Splunk App for Stream - https://splunkbase.splunk.com/app/1809/
Provides an alternative to DB Connect for monitoring queries by allowing you to pull query strings off the network as decoded wire data. It can even decrypt encrypted traffic if you can provide the private key.

SQL Injection Search - https://splunkbase.splunk.com/app/1528/
Provides some ability to detect malicious data in SQL strings. This page also has advice for other methods to detect it.

Now, for most of these apps above, you will need to research and produce a lot of the "content," i.e. Splunk search intelligence to detect the malicious behavior you are trying to detect. With McAfee DAM, part of the value prop is that they provide the rules and content. That said, you will find a LOT of good advice on how to detect malicious activity in SQL query strings out there, which you can directly apply to Splunk search and tailor to your specific environment. Here are a couple of Splunk blogs on the subject, but Google for this generically and you'll find lots more:
http://blogs.splunk.com/tag/sql-injection/

In terms of blocking this activity, the vast majority of McAfee DAM users do not enable this. If you actually want to do this with Splunk, you should look into creating a custom alert action and leverage your DB platform(s) API or other scripted method. As with McAfee, you will likely find yourself in a race condition under the best of circumstances.

Good luck!

View solution in original post

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

McAfee DAM offers the ability to detect suspicious/malicious queries by monitoring them on the host itself with an agent that reads running queries from memory. It is also able to block (after a race condition, letting some data through) and quarantine malicious use/users of the system. Typical out-of-the-box rules include detection of tricky SQL injection activity, privilege escalation, and other generic and platform-specific exploits. In addition, this product also includes a scanning modules that, which I'll consider outside the scope of the question unless I hear otherwise.

As for the ability to detect malicious activity against databases in real time - YES, Splunk can do much of this. Take a look at the following apps:

DB Connect - https://splunkbase.splunk.com/app/2686/
This can be used to pull data from tables in nearly any JDBC-accessible database platform, including audit tables that would let you examine queries for malicious activity.

Oracle Add-On - https://splunkbase.splunk.com/app/1910/
Includes a number of very useful queries for monitoring user activity, works with DB Connect

MS SQL Add-On - https://splunkbase.splunk.com/app/2648/
Includes a number of very useful queries for monitoring user activity, works with DB Connect

Splunk App for Stream - https://splunkbase.splunk.com/app/1809/
Provides an alternative to DB Connect for monitoring queries by allowing you to pull query strings off the network as decoded wire data. It can even decrypt encrypted traffic if you can provide the private key.

SQL Injection Search - https://splunkbase.splunk.com/app/1528/
Provides some ability to detect malicious data in SQL strings. This page also has advice for other methods to detect it.

Now, for most of these apps above, you will need to research and produce a lot of the "content," i.e. Splunk search intelligence to detect the malicious behavior you are trying to detect. With McAfee DAM, part of the value prop is that they provide the rules and content. That said, you will find a LOT of good advice on how to detect malicious activity in SQL query strings out there, which you can directly apply to Splunk search and tailor to your specific environment. Here are a couple of Splunk blogs on the subject, but Google for this generically and you'll find lots more:
http://blogs.splunk.com/tag/sql-injection/

In terms of blocking this activity, the vast majority of McAfee DAM users do not enable this. If you actually want to do this with Splunk, you should look into creating a custom alert action and leverage your DB platform(s) API or other scripted method. As with McAfee, you will likely find yourself in a race condition under the best of circumstances.

Good luck!

0 Karma

dgersper
New Member

Wow, that's incredibly helpful. I get the impression that it can come close (with a lot of custom work) but really isn't a pure match for what DAM can do. Which is fine, we are trying to figure out the potential. 1 question that remains for me at this time is whether there is a charge for the add-ons? There doesn't seem to be, but I am reaching out to our rep to find out. Thanks for the info.

0 Karma

cconner
New Member

Great information. Will this work with Splunk Cloud as well?

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

Glad it was useful. Every add-on listed above is absolutely free. The only thing you'd be charged for in this scenario is the amount of raw data you ingest as part of your core (if it ends up exceeding your current license).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...