Is Splunk or Ent. Security able to detect attacks ...

SamHTexas · ‎06-27-2021

Is Splunk Enterprise or Splunk Ent. Security (ES) able to detect attacks by rogue systems or Artificially Intelligent enabled Server? Are AI enabled servers able to create user accounts in my Splunk environment?

venkatasri · ‎06-27-2021

Hi @SamHTexas

Splunk Core/Ent* and ES are no exception for an attack. Having said that similar to any other systems Splunk stack shall be protected as well, if someone managed to create a user they would be having full access from outside, and as far as i know there are no prebuilt reports for user creations and malicious activities identification.

Splunk _audit logs are place to find in case of something unusual activity is happening. Create a schedule search/ on ES create notable search to SOC to analyze
If someone gain access to Splunk host they can create stuff from CLI and update .conf similar to any other host, they shall be monitored as well for file system changes and abrupt restarts.
Do not expose Rest API and web ports to public internet.

these are some of the tips there could be many detections that needs to be enabled to monitor Splunk security posture it depends on how it has implemented and tools in place. Splunk ES can be used to monitor whole Splunk itself however custom notable searches shall be created.

----

An upvote would be appreciated and Accept solution if it helps!

Is Splunk or Ent. Security able to detect attacks by rogue systems or Artificially Intelligent enabled Server?

access control

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk