Splunk Enterprise Security

Review account activity for accounts which have been flagged.

adamsmith47
Communicator

Let me first say, I'm sure I could write a search that essentially returns what I'm looking for, however due to the amount and nature of the data it would not be an fast running search. I'm looking to broaden my horizons using data models and acceleration to make this more efficient.

The goal: provide daily reports on activity for "flagged" accounts, only WHILE they are flagged. Ex, if an account is flagged from 5/16/2018 12:00 pm to 2:00 pm, I'd like to find authentication activity for that account during that 2 hour period for which it was flagged.

I can easily write a search to return a list of accounts which had been flagged and the time span they were flagged for, but, I'm looking for advice on efficient ways to find the authentication events related to that flagged period. We have ES, with an accelerated authentication data model, though I don't have a good sense of how to apply my query to it. Would this be a custom correlation search in ES?

Any suggestions, links, examples are highly appreciated.

Thank you.

0 Karma

hortonew
Builder

How many users do you typically have flagged at one time? How do you go about flagging them in Splunk (just adding to a lookup table maybe)? I haven't worked with ES, but could imagine building something around this with a couple lookups (csv or kvstore) and a scheduled search. One lookup one contain flagged users (update manually or with lookup editor or some other automation), and your scheduled search would constantly scan the last minute, every minute for auth events that match users in that lookup. The search would then input the auth events lookup, find new data in the last minute for matching users, remove users that don't exist anymore, and re-write the lookup.

If you're going the ES route, a data model acceleration allows you to use tstats as a fast command to return results. I would assume if you dig into the macros for what's populating your dashboards, you'll find the searches they use behind the scenes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...