- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- How to detect default accounts by Splunk?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to detect default accounts by Splunk?
Hi.
I see dashboard in ES 4.1.1 aka "Default Account Activity", but he shows activity of all accounts.
How to detect Default Account? Any solutions?
Maybe someone can share list of all default accounts? (I'm tried to google, but got unsatisfactory results).
By "Default Account" i mean:
"Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords and are therefore commonly targeted by attackers using brute force attack tools."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey
Are you looking for the Administrative lookup of ES?
/en-US/app/SplunkEnterpriseSecuritySuite/ess_lookups_edit?namespace=SA-IdentityManagement&transform=administrative_identity_lookup
Or is it the case that all your logins are being wrongfully tagged with tag="default"?
Look at the DataSet definition
**Default Authentication**
(`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)
Constraint
tag="default"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That lookup have only 30+ default usernames and we don't know topicality of there names.
So, any another solutions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my case I am not getting a single default login
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or, how to search default accounts by Splunk?
Because I see all users are listed in the results not just default accounts like admins and the like.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This behaviour is not related to that Lookup. It is actually related to how your events are arriving to Splunk and how they are tagged in the sourcetypes.
For instance if you have WinEventLog:Security, SYSTEM account is considered by the Splunk_TA_for_Windows as a default account ant therefore tagged as tag=default, and so it shows up in that correlation search.
You should try to understand why are your events tagged with tag=default in one of the sourcetypes you are getting wrongful data.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
