Splunk Enterprise Security

Why is our Splunk-ES iplocation src returning 192.168.xxx.xxx addresses in the "Access Anomalies" dashboard?

ChadLangUAB
Path Finder

Why is our Splunk-ES iplocation src returning 192.168.xxx.xxx addresses in the "Access Anomalies" dashboard?

Why is our Splunk-ES "Access Anomalies" dashboard returning unusable usernames (HealthMailbox3bf7XXXX) for the user field?

0 Karma

ChadLangUAB
Path Finder

Where would you recommend excluding this traffic? At the dashboard level or the data model level?

I believe it should be a constraint in the data model, but it doesn't seem to work as expected.

If at the dashboard level, where should NOT cidrmatch("192.168.0.0/16",src) go?

| tstats summariesonly values(Authentication.app) as app, latest(Authentication.user_bunit) as user_bunit from datamodel=Authentication.Authentication where * by Authentication.user,Authentication.src _time span=1s
| drop_dm_object_name("Authentication")
| eventstats dc(src) as src_count by user
| search src_count>1
| sort 0 + _time
| get_asset(src)
| iplocation src
| eval session_city=if(isnull(src_city), City, src_city)
| eval session_country=if(isnull(src_country), Country, src_country)
| eval session_lat=if(isnull(src_lat), lat, src_lat)
| eval session_lon=if(isnull(src_long), lon, src_long)
| where isnotnull(session_lat) and isnotnull(session_lon)
| streamstats current=t window=2 earliest(session_lat) as prev_lat, earliest(session_lon) as prev_lon, earliest(_time) as prev_time, earliest(src) as prev_src, earliest(session_city) as prev_city, earliest(session_country) as prev_country, earliest(app) as prev_app, latest(user_bunit) as user_bunit by user
| where (src!=prev_src)
| globedistance(session_lat,session_lon,prev_lat,prev_lon,"m")
| eval time_diff=if((_time-prev_time)==0, 1, _time - prev_time)
| eval speed = round(distance*3600/time_diff,2)
| where speed>500 | uitime(prev_time)
| table user, user_bunit, src, _time, session_city, session_country, app, prev_src, prev_time, prev_city, prev_country, prev_app, distance, speed

If at the data model level, where should NOT (action=success user=$ src=192.168..*) go?

My Authentication data model looks like:

Successful Authentication
Successful_Authentication

CONSTRAINTS

(cim_Authentication_indexes) tag=authentication NOT (action=success user=$) *Inherited
action="success" Constraint

Any guidance is appreciated, support hasn't been any help.

0 Karma

mgaudie_splunk
Splunk Employee
Splunk Employee

What you are seeing seems like normal outputs from ES.

The src field is populated by the source host that has generated that event. A number of log sources will often populate this field with IP addresses and not hostnames, such as firewalls and proxies.

This is the same for the username you are seeing, there is a log source that has the HealthMailbox account as the user generating that event. HealthMailbox mailbox accounts are a mailbox with an active directory account, which is why there are logs being generated that have it as the user.

You can always alter the searches to not include these accounts or src ips, but you should first do some thorough investigation to be sure that these authentication attempts are in fact not anomalies else you might miss threats or attacks in the future.

0 Karma

ChadLangUAB
Path Finder

I'm assuming the best course of action here is to work with our AD admins to map those usernames to a more usable format & those IPs to a NATted address within the saved dashboard searches?

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...