Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to query for MFA and SSO on network

sgtwolf1
Explorer
‎06-18-2024 07:02 AM

Thank you everyone for taking the time to ready this. I am new in Splunk and interested in learning more. I have a project at home, and this has to do with viewing authentication traffic on a given network

The challenge I face:

I need to view what authentication method is being used to access what resource on the network for a giving index and sourcetype. For example, Windows systems do not have an attribute solo representing if the access to the Nod was SSO or MFA all I get is an event ID 4624. Windows Event ID 4624, successful logon — Dummies guide, 3 minute read (manageengine.com) My understanding is that I have to gather a few attributes and make an educated guess about what access was used. I was hoping to find a one liner lol that will show me what resource is using what authentication method. Any help would be appreciated and virtual drinks on me if we strike gold 🙂

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

deepakc
Builder
‎06-18-2024 09:20 AM

1.If you have your SSO/MFA data ingested and parsed correctly, also using Splunk's TA's most of them come with out of the box tags that can be used to search for the data type.

Simple Example - This will search for authentication data across your defined indexes - and present the results (The tags search for authentication data) You can add your sourcetypes as well

index=linux OR index=Windows OR index=my_SSO_data tag=authentication

You can find the tags via GUI – easy way, or inspects the TA itself (eventtypes and tags)

2. If you have not ingested data then you need to ensure the below.

Example

Okta SSO / MFA - Okta would provide authentication data somewhere, in logs or API, you then need to onboard this data into Splunk, ensure there is a TA that helps with the parsing and tagging, then analyse the data, to see what it gives you and run various queries to give you the results you are looking for. 

Windows Event logs normally give you authentication data, based on AD / Logon events, they also provide Azure AD/ Entra, so if you used these you again would need to ingest that data into Splunk first and then run queries. 

 

Side note:

Using Splunk you can check with TA’s have tags for authentication

| rest splunk_server=local services/configs/conf-tags
| rename eai:acl.app AS app, title AS tag
| table app tag authentication



This will show you the eventtypes which are associated with tags

| rest splunk_server=local services/configs/conf-eventtypes
| rename eai:acl.app AS app, title AS eventtype
| table app search eventtype

 

View solution in original post

Reply
Solved! Jump to solution
Solution

deepakc
Builder
‎06-18-2024 09:20 AM

1.If you have your SSO/MFA data ingested and parsed correctly, also using Splunk's TA's most of them come with out of the box tags that can be used to search for the data type.

Simple Example - This will search for authentication data across your defined indexes - and present the results (The tags search for authentication data) You can add your sourcetypes as well

index=linux OR index=Windows OR index=my_SSO_data tag=authentication

You can find the tags via GUI – easy way, or inspects the TA itself (eventtypes and tags)

2. If you have not ingested data then you need to ensure the below.

Example

Okta SSO / MFA - Okta would provide authentication data somewhere, in logs or API, you then need to onboard this data into Splunk, ensure there is a TA that helps with the parsing and tagging, then analyse the data, to see what it gives you and run various queries to give you the results you are looking for. 

Windows Event logs normally give you authentication data, based on AD / Logon events, they also provide Azure AD/ Entra, so if you used these you again would need to ingest that data into Splunk first and then run queries. 

 

Side note:

Using Splunk you can check with TA’s have tags for authentication

| rest splunk_server=local services/configs/conf-tags
| rename eai:acl.app AS app, title AS tag
| table app tag authentication



This will show you the eventtypes which are associated with tags

| rest splunk_server=local services/configs/conf-eventtypes
| rename eai:acl.app AS app, title AS eventtype
| table app search eventtype

 

Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...