Splunk Enterprise Security
Highlighted

How to detect default accounts by Splunk?

Builder

Hi.
I see dashboard in ES 4.1.1 aka "Default Account Activity", but he shows activity of all accounts.

How to detect Default Account? Any solutions?
Maybe someone can share list of all default accounts? (I'm tried to google, but got unsatisfactory results).

By "Default Account" i mean:

"Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools."
0 Karma
Highlighted

Re: How to detect default accounts by Splunk?

Influencer

Hey

Are you looking for the Administrative lookup of ES?

/en-US/app/SplunkEnterpriseSecuritySuite/ess_lookups_edit?namespace=SA-IdentityManagement&transform=administrative_identity_lookup

Or is it the case that all your logins are being wrongfully tagged with tag="default"?

Look at the DataSet definition

**Default Authentication**

(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$) 

Constraint
tag="default"
0 Karma
Highlighted

Re: How to detect default accounts by Splunk?

Builder

That lookup have only 30+ default usernames and we don't know topicality of there names.
So, any another solutions?

0 Karma
Highlighted

Re: How to detect default accounts by Splunk?

Builder

Or, how to search default accounts by Splunk?
Because I see all users are listed in the results not just default accounts like admins and the like.

0 Karma
Highlighted

Re: How to detect default accounts by Splunk?

Influencer

This behaviour is not related to that Lookup. It is actually related to how your events are arriving to Splunk and how they are tagged in the sourcetypes.

For instance if you have WinEventLog:Security, SYSTEM account is considered by the SplunkTAfor_Windows as a default account ant therefore tagged as tag=default, and so it shows up in that correlation search.

You should try to understand why are your events tagged with tag=default in one of the sourcetypes you are getting wrongful data.

0 Karma
Highlighted

Re: How to detect default accounts by Splunk?

Engager

In my case I am not getting a single default login

0 Karma