Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Manage Splunk app for Enterprise Security default account recognition

marcoscala
Builder
‎01-30-2014 03:35 AM

Hi All,
we're tuning the Splunk App for Enterprise Security setup for one Customer and we're experiences a LOT of Notable Events for Correlational Search "Default account activity detected"generated also for not default user accounts, but for regular user accounts.

It seems that the "default_user_accounts" macro invoked by the rule doesn't look in the identity.csv file for default users, but in another "identities_expanded.csv" lookup file. The online docs for Splunk app for ES 2.4 mention a postprocess search that generate this csv but I could't find it.

Any idea on how to clean and set the default account detection correctly?

regards,
Marco

0 Karma
Reply

marcoscala
Builder
‎01-31-2014 08:37 AM

Luke,
thanks for this clarification, but how this "identities_expanded.csv" is build? Why an account not present in "identities.csv" the appears as "default account" in "identities_expanded.csv"?

Moreover, is there a way to "reset" it?

Thanks,

Marco

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎01-31-2014 08:49 AM

Hi Marco, this process is explained in the documentation link that Luke provided. Per my question, the category tag is the key here.

I expect that if you're seeing an unexpected category tag, then you've probably got multiple definitions of the account in question, one with and one without category="default".

Lastly, I would be remiss not to note that this system has been improved in the new ES 3.0; mind you, there is no fix for GIGO, so a misplaced category would still produce the unwanted result.

0 Karma
Reply

LukeMurphey
Champion
‎01-30-2014 10:01 AM

The "default_user_accounts" evaluates "identities.csv" but indirectly. To improve performance, the "identities.csv" is processed behind the scenes into "identities_expanded.csv".

Splunk will rebuild the identities_expanded.csv automatically. However, you can force it to run manually too. See the docs on "Changes to Assets and Identities"

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎01-30-2014 01:05 PM

also, the important thing is the identity's category... do the regular accounts have category=default set?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...