Network and local authentication data shows sign-on and sign-off events, the status of such events, the source and destination addresses, the service name, and time of occurrence. These values are used to track who succeeded in gaining access to a computing asset, when the access took place, access duration, and the frequency of access. It also tracks failed access attempts. Additionally this data source often tracks authorization settings so that after an identity is authenticated, what that identity is authorized for can be verified. Authentication data includes:
- Active Directory: a distributed directory in which organizations define user and group identities, security policies and content controls.
- LDAP: an open standard defined by the IETF and is typically used to provide user authentication (name and password). It has a flexible directory structure that can be used for a variety of information such as full name, phone numbers, email and physical addresses, organizational units, workgroup and manager.
- Identity Management: identity management is the method of linking the users of digital resources—whether people, IoT devices, systems or applications—to a verifiable online ID.
- Single Sign-On (SSO): a process of using federated identity management to provide verifiable, attestable identities from a single source to multiple systems. SSO significantly increases security by tying user credentials to a single source, allowing changes to user rights and account status to be made once, and reflected in every application or service to which the user has access. SSO is particularly important for users with elevated security rights such as system or network administrators that have access to a large number of systems.
In the Common Information Model, authentication data is typically mapped to the Authentication data model.
Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion:
Common data sources
Use cases for the Splunk platform
Use cases for Splunk security products
- Detecting non-privileged user accounts conducting privileged actions
- Monitoring medical record numbers for anomalous access
- Identifying and disabling inactive users on AWS
- Conducting an Azure new user census
- Detecting techniques in the Orangeworm attack group
- Monitoring for signs of a Windows privilege escalation attack