Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

BIAS logins Usecases- Are any out of the box Splunk features we could run against BIAS logs + Domain controller logs?

revanthammineni
Path Finder
‎05-29-2023 12:16 AM

Hi Splunkers,

I recently set up a use case based of BIAS failure logins with a threshold limit of 9 logins per day according to my company requirements.  Now, My management asking me to check if there are any out of the box Splunk features we could run against BIAS logs + Domain controller logs.

Any information regarding this would be helpful. Also, I'm trying to use 
"iplocation" 

Tags (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2023 07:25 AM

Please describe the problems you are trying to solve regarding your BIAS logs and we may be able to offer suggestions for them.

Please post a new question about iplocation.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

revanthammineni
Path Finder
‎05-29-2023 08:04 AM

In the BIAS Logins check, is there any logic that alerts on "Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time)."?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-29-2023 08:59 AM

Abnormal account activity is a broad topic for which Splunk has a dedicated product - UBA (Use Behavior Analytics).

The Splunk Security Essentials app (https://splunkbase.splunk.com/app/3435) has example searches for geographically improbable access and access outside of business hours.  You should be able to adapt them to your needs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...