Re: BIAS logins Usecases

revanthammineni · ‎05-29-2023

Hi Splunkers,

I recently set up a use case based of BIAS failure logins with a threshold limit of 9 logins per day according to my company requirements. Now, My management asking me to check if there are any out of the box Splunk features we could run against BIAS logs + Domain controller logs.

Any information regarding this would be helpful. Also, I'm trying to use
"iplocation"

richgalloway · ‎05-29-2023

Please describe the problems you are trying to solve regarding your BIAS logs and we may be able to offer suggestions for them.

Please post a new question about iplocation.

---
If this reply helps you, Karma would be appreciated.

revanthammineni · ‎05-29-2023

In the BIAS Logins check, is there any logic that alerts on "Defenders should also look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time)."?

richgalloway · ‎05-29-2023

Abnormal account activity is a broad topic for which Splunk has a dedicated product - UBA (Use Behavior Analytics).

The Splunk Security Essentials app (https://splunkbase.splunk.com/app/3435) has example searches for geographically improbable access and access outside of business hours. You should be able to adapt them to your needs.

---
If this reply helps you, Karma would be appreciated.

BIAS logins Usecases- Are any out of the box Splunk features we could run against BIAS logs + Domain controller logs?

other

proactive Splunk component monitoring

search performance

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!