Splunk Enterprise Security

How do I configure ESS to report on Splunk authentication messages

hazekamp
Builder

I noticed that "splunk" authentication does not show up in the Access Center or the Access Search views. What gives?

1 Solution

hazekamp
Builder

Splunk authentication messages live in the _audit index and are not searched on by default. To enable reporting of Splunk authentication to Access Protection views such as the Access Center do the following:

  1. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/eventtypes.conf

    [splunk_access]    
    search = "action=login attempt" NOT "action=search"
    
  2. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/tags.conf

    [eventtype=splunk_access]
    authentication = enabled
  3. Add index _audit to default search indexes on a per role basis

    To enable Splunk authentication for admins and scheduled search:

    Manager>>Access controls>>Roles>>admin>>Indexes searched by default>>Add>>_audit

    To enable Splunk authentication for users (Warning: This gives the user role capability to search _audit index):

    Manager>>Access controls>>Roles>>user>>Indexes searched by default>>Add>>_audit
    Manager>>Access controls>>Roles>>user>>Indexes>>Add>>_audit
  4. To verify these steps you can perform the following search: "tag=authentication app=splunk"

View solution in original post

hazekamp
Builder

Splunk authentication messages live in the _audit index and are not searched on by default. To enable reporting of Splunk authentication to Access Protection views such as the Access Center do the following:

  1. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/eventtypes.conf

    [splunk_access]    
    search = "action=login attempt" NOT "action=search"
    
  2. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/tags.conf

    [eventtype=splunk_access]
    authentication = enabled
  3. Add index _audit to default search indexes on a per role basis

    To enable Splunk authentication for admins and scheduled search:

    Manager>>Access controls>>Roles>>admin>>Indexes searched by default>>Add>>_audit

    To enable Splunk authentication for users (Warning: This gives the user role capability to search _audit index):

    Manager>>Access controls>>Roles>>user>>Indexes searched by default>>Add>>_audit
    Manager>>Access controls>>Roles>>user>>Indexes>>Add>>_audit
  4. To verify these steps you can perform the following search: "tag=authentication app=splunk"

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...