Splunk Enterprise Security
Highlighted

Default Account Usage Correlation Search - All user as default

Path Finder

Hello there,

On ES (4.7.2), the correlation search "Default Account Usage" is supposed to create notable events for default accounts as stated in its description:

"Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools."

It seems however that the correlation search does not differentiates between regular users and default accounts.

When looking at the correlation search, it does simply search into tag= auth + default data model.

| tstats summariesonly=true allowoldsummaries=true max(time) as "lastTime",values(Authentication.tag) as "tag",count from datamodel=Authentication.Authentication where nodename=Authentication.DefaultAuthentication.SuccessfulDefaultAuthentication by "Authentication.dest","Authentication.user","Authentication.app" | rename "Authentication.dest" as "dest","Authentication.user" as "user","Authentication.app" as "app"

Event in Splunk Demo platform, all users are listed in the results not just default accounts like admins and the like.

I am deducing that, the CIM Authentication should be understood like this :

regular user -> tag = auth

default account -> tag = auth + default

priviledged user -> tag = auth + priviledged

Thing is :

Maybe identity lookup should just contain this default accounts categorized as default. But it is not done this way in the demo identity lookup, so I am not sure.

If anyone has a clue on this, it would be great!

0 Karma
Highlighted

Re: Default Account Usage Correlation Search - All user as default

Champion

The TAs aren't the issue in this case. Check out tags.conf in the Windows and nix TAs and you won't find any mention of setting the default tag.

What you're seeing is the ES identity management setting this tag based on the usernames.

If you look at the output of bin/splunk btool tags list --debug you'll see (at least) these entries, as provided by ES identity management:

etc/apps/Splunk_SA_CIM/default/tags.conf             [is_default=true]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

etc/apps/Splunk_SA_CIM/default/tags.conf             [src_user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

etc/apps/Splunk_SA_CIM/default/tags.conf             [user_category=default]
etc/apps/Splunk_SA_CIM/default/tags.conf             default = enabled

And if you look at the builtin identity CSVs you'll probably see some of this:

./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:3comcso,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adfexc,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adm,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:admin|administrator,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:anonymous,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:adminuser,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:advmail,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bciim,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:bcms,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:browse,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cisco,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cusadmin,,,,,,,,,,,,default|privileged,,,,,,,
./etc/apps/SA-IdentityManagement/lookups/administrative_identities.csv:cust,,,,,,,,,,,,default|privileged,,,,,,,

ES is configured to set the default tag if any of the identities it has are found in the username fields it knows about are defined in your identity lookups with the default category.

View solution in original post

Highlighted

Re: Default Account Usage Correlation Search - All user as default

Path Finder

Alright,

More clearer now.

So I usually build my TAs mapped to Authentication DM like this :

tags.conf

[eventtype=foo]
authentication = enabled
default = enabled

Thanks for making me realize that this was a bad habit!

It should be :

[eventtype=bar]
authentication = enabled

AND/OR :

[eventtype=foo]
authentication = enabled
privileged = enabled

for special authentication events for which you know its a privileged access.

For instance in Windows TA :

[windowsspecialprivileges]
search = sourcetype=*:Security (EventCode=4672 OR EventCode=576)

tags = authentication privileged

Then ES adds a default/privilged tag based on :

  • administrative_identities.csv
  • configured identities.csv

Thanks a lot!

0 Karma