Splunk Enterprise Security

Default Account Usage Correlation Search - All user as default

support0
Path Finder

Hello there,

On ES (4.7.2), the correlation search "Default Account Usage" is supposed to create notable events for default accounts as stated in its description:

"Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools."

It seems however that the correlation search does not differentiates between regular users and default accounts.

When looking at the correlation search, it does simply search into tag= auth + default data model.

| tstats summariesonly=true allow_old_summaries=true max(_time) as "lastTime",values(Authentication.tag) as "tag",count from datamodel=Authentication.Authentication where nodename=Authentication.Default_Authentication.Successful_Default_Authentication by "Authentication.dest","Authentication.user","Authentication.app" | rename "Authentication.dest" as "dest","Authentication.user" as "user","Authentication.app" as "app"

Event in Splunk Demo platform, all users are listed in the results not just default accounts like admins and the like.

I am deducing that, the CIM Authentication should be understood like this :

regular user -> tag = auth

default account -> tag = auth + default

priviledged user -> tag = auth + priviledged

Thing is :

Maybe identity lookup should just contain this default accounts categorized as default. But it is not done this way in the demo identity lookup, so I am not sure.

If anyone has a clue on this, it would be great!

0 Karma
1 Solution

micahkemp
Champion

The TAs aren't the issue in this case. Check out tags.conf in the Windows and nix TAs and you won't find any mention of setting the default tag.

What you're seeing is the ES identity management setting this tag based on the usernames.

If you look at the output of bin/splunk btool tags list --debug you'll see (at least) these entries, as provided by ES identity management:

etc/apps/Splunk_SA_CIM/default/tags.conf             [is_default=true]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

etc/apps/Splunk_SA_CIM/default/tags.conf             [src_user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

etc/apps/Splunk_SA_CIM/default/tags.conf             [user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

And if you look at the builtin identity CSVs you'll probably see some of this:

./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:3comcso,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adfexc,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adm,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:admin|administrator,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:anonymous,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adminuser,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:advmail,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bciim,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bcms,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:browse,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cisco,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cusadmin,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cust,,,,,,,,,,,,default|privileged,,,,,,,

ES is configured to set the default tag if any of the identities it has are found in the username fields it knows about are defined in your identity lookups with the default category.

View solution in original post

micahkemp
Champion

The TAs aren't the issue in this case. Check out tags.conf in the Windows and nix TAs and you won't find any mention of setting the default tag.

What you're seeing is the ES identity management setting this tag based on the usernames.

If you look at the output of bin/splunk btool tags list --debug you'll see (at least) these entries, as provided by ES identity management:

etc/apps/Splunk_SA_CIM/default/tags.conf             [is_default=true]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

etc/apps/Splunk_SA_CIM/default/tags.conf             [src_user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

etc/apps/Splunk_SA_CIM/default/tags.conf             [user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

And if you look at the builtin identity CSVs you'll probably see some of this:

./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:3comcso,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adfexc,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adm,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:admin|administrator,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:anonymous,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adminuser,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:advmail,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bciim,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bcms,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:browse,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cisco,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cusadmin,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cust,,,,,,,,,,,,default|privileged,,,,,,,

ES is configured to set the default tag if any of the identities it has are found in the username fields it knows about are defined in your identity lookups with the default category.

support0
Path Finder

Alright,

More clearer now.

So I usually build my TAs mapped to Authentication DM like this :

tags.conf

[eventtype=foo]
authentication = enabled
default = enabled

Thanks for making me realize that this was a bad habit!

It should be :

[eventtype=bar]
authentication = enabled

AND/OR :

[eventtype=foo]
authentication = enabled
privileged = enabled

for special authentication events for which you know its a privileged access.

For instance in Windows TA :

[windows_special_privileges]
search = sourcetype=*:Security (EventCode=4672 OR EventCode=576)

tags = authentication privileged

Then ES adds a default/privilged tag based on :

  • administrative_identities.csv
  • configured identities.csv

Thanks a lot!

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...