Skip to main content

 

Splunk Lantern

Network access control data

 

Network access control (NAC) data refers to the information generated, collected, or enforced by systems that manage and monitor which users, devices, or systems are permitted to connect to and communicate over a network. Most data points will include a timestamp, device, user, and action. It can also include the network, connection status, reason for an action, compliance status, applicable policy, and session start and end time. This data is used for access management and policy enforcement, which supports security, compliance, and operational visibility.

Network access control data is event driven and comes from the following:

  • Authentication events: Device/user successfully authenticated to the network
  • Access denied/quarantine events: Device denied or isolated due to non-compliance
  • Network admission control logs: Entry showing device/user passed compliance and was admitted
  • Policy enforcement actions: Actions taken for non-compliance (for example, quarantine)
  • Connection attempts and results: Log of successful or failed network access attempts
  • Session activity: Start/end times and details for a network session
  • Network segmentation changes: Device moved between network segments/VLANs

Network access is managed by network infrastructure, such as firewalls, routers, switches, VPNs, and security groups.

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: 

Use cases for the Splunk platform

Use cases for Splunk security software