Security

Is Splunk or Ent. Security able to detect attacks by rogue systems or Artificially Intelligent enabled Server?

SamHTexas
Builder

Is Splunk Enterprise or Splunk Ent. Security (ES) able to detect attacks by rogue systems or Artificially Intelligent enabled Server? Are AI enabled servers able to create user accounts in my Splunk environment?

Labels (1)
0 Karma

venkatasri
Influencer

Hi @SamHTexas 

Splunk Core/Ent* and ES are no exception for an attack. Having said that similar to any other systems Splunk stack shall be protected as well, if someone managed to create a user they would be having full access from outside, and as far as i know there are no prebuilt reports for user creations and malicious activities identification.

  • Splunk _audit logs are place to find in case of something unusual activity is happening. Create a schedule search/ on ES create notable search to SOC to analyze
  • If someone gain access to Splunk host they can create stuff from CLI and update .conf similar to any other host, they shall be monitored as well for file system changes and abrupt restarts.
  • Do not expose Rest API and web ports to public internet. 

these are some of the tips there could be many detections that needs to be enabled to monitor Splunk security posture it depends on how it has implemented and tools in place. Splunk ES can be used to monitor whole Splunk itself however custom notable searches shall be created.

 

----

An upvote would be appreciated and Accept solution if it helps!

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!