Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me understand the purpose of the Default User Account dashboard in Splunk ES?

daniel333
Builder
‎04-11-2018 04:52 PM

All,

I am looking at the default user account dashboard in Splunk ES. I sorta of assumed that it pulled a list of users out of /etc/shadow and /etc/passwd for allthe various stock user accounts that come with linux and watched for any activity with them? was i wrong?

I just read the doc and to be honest I am not sure what it does still.

Any help?

0 Karma
Reply

LukeMurphey
Champion
‎04-12-2018 11:06 AM

You are on the right track.

The default user account dashboard looks at accounts that are known to ship with operating systems and devices by default (like admin, administrator, etc). These are treated separately from non-default accounts because:

  1. Generally, default accounts should be disabled if possible and people may want to monitor for use of default accounts in order to disable them.
  2. Default accounts are more likely to be attacked by malicious users who don't have much knowledge of your environment. Thus activity against them (even when they are disabled or removed) is a good indicator of a malicious actor in our environment
0 Karma
Reply

daniel333
Builder
‎04-15-2018 02:24 PM

Thanks for the reply. Does Splunk for Nix and Splunk for WIndows pull the default account list? Or is this hardcoded somewhere?

0 Karma
Reply

daniel333
Builder
‎04-15-2018 03:36 PM

So I have Splunk ES and Splunk TA nix installed. Went ahead and enabled the default FTP account by enabling the shell and went around just poking around. Splunk picks up the logs, but doens't populate this dashboard. Did I need to enable a ":default users" identity list or something?

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...