- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Default Account Usage Correlation Search - All use...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello there,
On ES (4.7.2), the correlation search "Default Account Usage" is supposed to create notable events for default accounts as stated in its description:
"Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools."
It seems however that the correlation search does not differentiates between regular users and default accounts.
When looking at the correlation search, it does simply search into tag= auth + default data model.
| tstats summariesonly=true allow_old_summaries=true max(_time) as "lastTime",values(Authentication.tag) as "tag",count from datamodel=Authentication.Authentication where nodename=Authentication.Default_Authentication.Successful_Default_Authentication by "Authentication.dest","Authentication.user","Authentication.app" | rename "Authentication.dest" as "dest","Authentication.user" as "user","Authentication.app" as "app"
Event in Splunk Demo platform, all users are listed in the results not just default accounts like admins and the like.
I am deducing that, the CIM Authentication should be understood like this :
regular user -> tag = auth
default account -> tag = auth + default
priviledged user -> tag = auth + priviledged
Thing is :
sub dataset names are hardly explained. What is expected in these sub datasets is hard to know.
if this is the case, then most TAs should be reworked because most of them map the default tag for all authentication events (cf. Win / Nix TAs)
it seems that there was a lookup to filter default account in the previous version of ES (see : https://answers.splunk.com/answers/120628/manage-splunk-app-for-enterprise-security-default-account-...). Is there an equivalent in 4.7 version ?
Maybe identity lookup should just contain this default accounts categorized as default. But it is not done this way in the demo identity lookup, so I am not sure.
If anyone has a clue on this, it would be great!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The TAs aren't the issue in this case. Check out tags.conf in the Windows and nix TAs and you won't find any mention of setting the default tag.
What you're seeing is the ES identity management setting this tag based on the usernames.
If you look at the output of bin/splunk btool tags list --debug you'll see (at least) these entries, as provided by ES identity management:
etc/apps/Splunk_SA_CIM/default/tags.conf [is_default=true]
etc/apps/Splunk_SA_CIM/default/tags.conf default = enabled
etc/apps/Splunk_SA_CIM/default/tags.conf [src_user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf default = enabled
etc/apps/Splunk_SA_CIM/default/tags.conf [user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf default = enabled
And if you look at the builtin identity CSVs you'll probably see some of this:
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:3comcso,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adfexc,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adm,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:admin|administrator,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:anonymous,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adminuser,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:advmail,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bciim,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bcms,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:browse,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cisco,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cusadmin,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cust,,,,,,,,,,,,default|privileged,,,,,,,
ES is configured to set the default tag if any of the identities it has are found in the username fields it knows about are defined in your identity lookups with the default category.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The TAs aren't the issue in this case. Check out tags.conf in the Windows and nix TAs and you won't find any mention of setting the default tag.
What you're seeing is the ES identity management setting this tag based on the usernames.
If you look at the output of bin/splunk btool tags list --debug you'll see (at least) these entries, as provided by ES identity management:
etc/apps/Splunk_SA_CIM/default/tags.conf [is_default=true]
etc/apps/Splunk_SA_CIM/default/tags.conf default = enabled
etc/apps/Splunk_SA_CIM/default/tags.conf [src_user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf default = enabled
etc/apps/Splunk_SA_CIM/default/tags.conf [user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf default = enabled
And if you look at the builtin identity CSVs you'll probably see some of this:
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:3comcso,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adfexc,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adm,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:admin|administrator,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:anonymous,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adminuser,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:advmail,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bciim,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bcms,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:browse,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cisco,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cusadmin,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cust,,,,,,,,,,,,default|privileged,,,,,,,
ES is configured to set the default tag if any of the identities it has are found in the username fields it knows about are defined in your identity lookups with the default category.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alright,
More clearer now.
So I usually build my TAs mapped to Authentication DM like this :
tags.conf
[eventtype=foo]
authentication = enabled
default = enabled
Thanks for making me realize that this was a bad habit!
It should be :
[eventtype=bar]
authentication = enabled
AND/OR :
[eventtype=foo]
authentication = enabled
privileged = enabled
for special authentication events for which you know its a privileged access.
For instance in Windows TA :
[windows_special_privileges]
search = sourcetype=*:Security (EventCode=4672 OR EventCode=576)
tags = authentication privileged
Then ES adds a default/privilged tag based on :
- administrative_identities.csv
- configured identities.csv
Thanks a lot!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
