Splunk Enterprise Security

How do I configure ESS to report on Splunk authentication messages

hazekamp
Builder

I noticed that "splunk" authentication does not show up in the Access Center or the Access Search views. What gives?

1 Solution

hazekamp
Builder

Splunk authentication messages live in the _audit index and are not searched on by default. To enable reporting of Splunk authentication to Access Protection views such as the Access Center do the following:

  1. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/eventtypes.conf

    [splunk_access]    
    search = "action=login attempt" NOT "action=search"
    
  2. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/tags.conf

    [eventtype=splunk_access]
    authentication = enabled
  3. Add index _audit to default search indexes on a per role basis

    To enable Splunk authentication for admins and scheduled search:

    Manager>>Access controls>>Roles>>admin>>Indexes searched by default>>Add>>_audit

    To enable Splunk authentication for users (Warning: This gives the user role capability to search _audit index):

    Manager>>Access controls>>Roles>>user>>Indexes searched by default>>Add>>_audit
    Manager>>Access controls>>Roles>>user>>Indexes>>Add>>_audit
  4. To verify these steps you can perform the following search: "tag=authentication app=splunk"

View solution in original post

hazekamp
Builder

Splunk authentication messages live in the _audit index and are not searched on by default. To enable reporting of Splunk authentication to Access Protection views such as the Access Center do the following:

  1. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/eventtypes.conf

    [splunk_access]    
    search = "action=login attempt" NOT "action=search"
    
  2. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/tags.conf

    [eventtype=splunk_access]
    authentication = enabled
  3. Add index _audit to default search indexes on a per role basis

    To enable Splunk authentication for admins and scheduled search:

    Manager>>Access controls>>Roles>>admin>>Indexes searched by default>>Add>>_audit

    To enable Splunk authentication for users (Warning: This gives the user role capability to search _audit index):

    Manager>>Access controls>>Roles>>user>>Indexes searched by default>>Add>>_audit
    Manager>>Access controls>>Roles>>user>>Indexes>>Add>>_audit
  4. To verify these steps you can perform the following search: "tag=authentication app=splunk"

Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...