Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Manage Splunk app for Enterprise Security default account recognition

marcoscala
Builder
‎01-30-2014 03:35 AM

Hi All,
we're tuning the Splunk App for Enterprise Security setup for one Customer and we're experiences a LOT of Notable Events for Correlational Search "Default account activity detected"generated also for not default user accounts, but for regular user accounts.

It seems that the "default_user_accounts" macro invoked by the rule doesn't look in the identity.csv file for default users, but in another "identities_expanded.csv" lookup file. The online docs for Splunk app for ES 2.4 mention a postprocess search that generate this csv but I could't find it.

Any idea on how to clean and set the default account detection correctly?

regards,
Marco

0 Karma
Reply

marcoscala
Builder
‎01-31-2014 08:37 AM

Luke,
thanks for this clarification, but how this "identities_expanded.csv" is build? Why an account not present in "identities.csv" the appears as "default account" in "identities_expanded.csv"?

Moreover, is there a way to "reset" it?

Thanks,

Marco

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎01-31-2014 08:49 AM

Hi Marco, this process is explained in the documentation link that Luke provided. Per my question, the category tag is the key here.

I expect that if you're seeing an unexpected category tag, then you've probably got multiple definitions of the account in question, one with and one without category="default".

Lastly, I would be remiss not to note that this system has been improved in the new ES 3.0; mind you, there is no fix for GIGO, so a misplaced category would still produce the unwanted result.

0 Karma
Reply

LukeMurphey
Champion
‎01-30-2014 10:01 AM

The "default_user_accounts" evaluates "identities.csv" but indirectly. To improve performance, the "identities.csv" is processed behind the scenes into "identities_expanded.csv".

Splunk will rebuild the identities_expanded.csv automatically. However, you can force it to run manually too. See the docs on "Changes to Assets and Identities"

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎01-30-2014 01:05 PM

also, the important thing is the identity's category... do the regular accounts have category=default set?

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top