Splunk Enterprise Security

Can you help me understand the purpose of the Default User Account dashboard in Splunk ES?

Builder

All,

I am looking at the default user account dashboard in Splunk ES. I sorta of assumed that it pulled a list of users out of /etc/shadow and /etc/passwd for allthe various stock user accounts that come with linux and watched for any activity with them? was i wrong?

I just read the doc and to be honest I am not sure what it does still.

Any help?

0 Karma

Champion

You are on the right track.

The default user account dashboard looks at accounts that are known to ship with operating systems and devices by default (like admin, administrator, etc). These are treated separately from non-default accounts because:

  1. Generally, default accounts should be disabled if possible and people may want to monitor for use of default accounts in order to disable them.
  2. Default accounts are more likely to be attacked by malicious users who don't have much knowledge of your environment. Thus activity against them (even when they are disabled or removed) is a good indicator of a malicious actor in our environment
0 Karma

Builder

Thanks for the reply. Does Splunk for Nix and Splunk for WIndows pull the default account list? Or is this hardcoded somewhere?

0 Karma

Builder

So I have Splunk ES and Splunk TA nix installed. Went ahead and enabled the default FTP account by enabling the shell and went around just poking around. Splunk picks up the logs, but doens't populate this dashboard. Did I need to enable a ":default users" identity list or something?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!