Splunk Enterprise Security

Default Account Usage Correlation Search - All user as default

support0
Path Finder

Hello there,

On ES (4.7.2), the correlation search "Default Account Usage" is supposed to create notable events for default accounts as stated in its description:

"Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools."

It seems however that the correlation search does not differentiates between regular users and default accounts.

When looking at the correlation search, it does simply search into tag= auth + default data model.

| tstats summariesonly=true allow_old_summaries=true max(_time) as "lastTime",values(Authentication.tag) as "tag",count from datamodel=Authentication.Authentication where nodename=Authentication.Default_Authentication.Successful_Default_Authentication by "Authentication.dest","Authentication.user","Authentication.app" | rename "Authentication.dest" as "dest","Authentication.user" as "user","Authentication.app" as "app"

Event in Splunk Demo platform, all users are listed in the results not just default accounts like admins and the like.

I am deducing that, the CIM Authentication should be understood like this :

regular user -> tag = auth

default account -> tag = auth + default

priviledged user -> tag = auth + priviledged

Thing is :

Maybe identity lookup should just contain this default accounts categorized as default. But it is not done this way in the demo identity lookup, so I am not sure.

If anyone has a clue on this, it would be great!

0 Karma
1 Solution

micahkemp
Champion

The TAs aren't the issue in this case. Check out tags.conf in the Windows and nix TAs and you won't find any mention of setting the default tag.

What you're seeing is the ES identity management setting this tag based on the usernames.

If you look at the output of bin/splunk btool tags list --debug you'll see (at least) these entries, as provided by ES identity management:

etc/apps/Splunk_SA_CIM/default/tags.conf             [is_default=true]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

etc/apps/Splunk_SA_CIM/default/tags.conf             [src_user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

etc/apps/Splunk_SA_CIM/default/tags.conf             [user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

And if you look at the builtin identity CSVs you'll probably see some of this:

./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:3comcso,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adfexc,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adm,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:admin|administrator,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:anonymous,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adminuser,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:advmail,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bciim,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bcms,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:browse,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cisco,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cusadmin,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cust,,,,,,,,,,,,default|privileged,,,,,,,

ES is configured to set the default tag if any of the identities it has are found in the username fields it knows about are defined in your identity lookups with the default category.

View solution in original post

micahkemp
Champion

The TAs aren't the issue in this case. Check out tags.conf in the Windows and nix TAs and you won't find any mention of setting the default tag.

What you're seeing is the ES identity management setting this tag based on the usernames.

If you look at the output of bin/splunk btool tags list --debug you'll see (at least) these entries, as provided by ES identity management:

etc/apps/Splunk_SA_CIM/default/tags.conf             [is_default=true]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

etc/apps/Splunk_SA_CIM/default/tags.conf             [src_user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

etc/apps/Splunk_SA_CIM/default/tags.conf             [user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

And if you look at the builtin identity CSVs you'll probably see some of this:

./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:3comcso,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adfexc,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adm,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:admin|administrator,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:anonymous,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adminuser,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:advmail,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bciim,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bcms,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:browse,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cisco,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cusadmin,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cust,,,,,,,,,,,,default|privileged,,,,,,,

ES is configured to set the default tag if any of the identities it has are found in the username fields it knows about are defined in your identity lookups with the default category.

support0
Path Finder

Alright,

More clearer now.

So I usually build my TAs mapped to Authentication DM like this :

tags.conf

[eventtype=foo]
authentication = enabled
default = enabled

Thanks for making me realize that this was a bad habit!

It should be :

[eventtype=bar]
authentication = enabled

AND/OR :

[eventtype=foo]
authentication = enabled
privileged = enabled

for special authentication events for which you know its a privileged access.

For instance in Windows TA :

[windows_special_privileges]
search = sourcetype=*:Security (EventCode=4672 OR EventCode=576)

tags = authentication privileged

Then ES adds a default/privilged tag based on :

  • administrative_identities.csv
  • configured identities.csv

Thanks a lot!

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...