Splunk Enterprise Security

How do I configure ESS to report on Splunk authentication messages

hazekamp
Builder

I noticed that "splunk" authentication does not show up in the Access Center or the Access Search views. What gives?

1 Solution

hazekamp
Builder

Splunk authentication messages live in the _audit index and are not searched on by default. To enable reporting of Splunk authentication to Access Protection views such as the Access Center do the following:

  1. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/eventtypes.conf

    [splunk_access]    
    search = "action=login attempt" NOT "action=search"
    
  2. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/tags.conf

    [eventtype=splunk_access]
    authentication = enabled
  3. Add index _audit to default search indexes on a per role basis

    To enable Splunk authentication for admins and scheduled search:

    Manager>>Access controls>>Roles>>admin>>Indexes searched by default>>Add>>_audit

    To enable Splunk authentication for users (Warning: This gives the user role capability to search _audit index):

    Manager>>Access controls>>Roles>>user>>Indexes searched by default>>Add>>_audit
    Manager>>Access controls>>Roles>>user>>Indexes>>Add>>_audit
  4. To verify these steps you can perform the following search: "tag=authentication app=splunk"

View solution in original post

hazekamp
Builder

Splunk authentication messages live in the _audit index and are not searched on by default. To enable reporting of Splunk authentication to Access Protection views such as the Access Center do the following:

  1. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/eventtypes.conf

    [splunk_access]    
    search = "action=login attempt" NOT "action=search"
    
  2. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/tags.conf

    [eventtype=splunk_access]
    authentication = enabled
  3. Add index _audit to default search indexes on a per role basis

    To enable Splunk authentication for admins and scheduled search:

    Manager>>Access controls>>Roles>>admin>>Indexes searched by default>>Add>>_audit

    To enable Splunk authentication for users (Warning: This gives the user role capability to search _audit index):

    Manager>>Access controls>>Roles>>user>>Indexes searched by default>>Add>>_audit
    Manager>>Access controls>>Roles>>user>>Indexes>>Add>>_audit
  4. To verify these steps you can perform the following search: "tag=authentication app=splunk"

Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...