Authentication data
Authentication data refers to the information used to verify the identity of a user, system, application, or device attempting to access a resource or service. Authentication verifies identity, while authorization determines what the authenticated user is allowed to do.
Authentication data is a critical component of security mechanisms, ensuring that only authorized entities can access protected resources. It can include credentials such as passwords, tokens, biometrics, or certificates. It should should never be stored in plaintext. Instead, it should be hashed or encrypted, and transmitted using secure protocols to prevent unauthorized access or interception. Handling authentication data often falls under privacy regulations like GDPR, CCPA, or HIPAA, depending on the context.
Authentication data typically includes:
- Knowledge-based authentication (something you know)
- Username and password
- Security questions and answers
- Personal identification number
- Possession-based authentication (something you have)
- One-time passwords
- Physical security tokens
- Digital certificates
- Smart cards
- Biometric authentication (something you are)
- Fingerprint data
- Facial recognition data
- Iris or retina scans
- Voice recognition data
- Behavioral authentication (something you do)
- Keystroke patterns
- Mouse movement or gesture patterns
- Token-based or cryptographic authentication
- Session tokens
- API keys
- SSH keys
- OAuth access tokens
- Multi-factor authentication (MFA)
- Password + OTP
- Password + biometric
- Smart Card + PIN
The Splunk Common Information Model (CIM) add-on contains an Authentication data model with fields that describe login activities from any data source.
Add-ons and apps
- Splunk Add-on for Cisco Identity Service
- Splunk Add-on for Cisco ESA
- Splunk Add-on for Cisco WSA
- Splunk Supporting Add-on for Active Directory
- Splunk Add-on for RSA SecurID CAS
- Splunk Add-on for RSA SecurID
- RSA SecureID Authentication Manager
- Splunk Add-on for Jira Cloud
- Splunk Add-on for Jira Data Center
- PingFederate App for Splunk
- Entrust Identity as a Service Add-on for Splunk
- Aruba ClearPass App for Splunk
- CrowdStrike OAuth API
- Azure AD User Registration Details
- Splunk Add-on for Okta Identity Cloud
- Okta Connector
- AWS IAM Connector
Use cases for the Splunk platform
- Managing Azure cloud infrastructure
- Complying with General Data Protection Regulation
- Monitoring NIST SP 800-53 rev5 control families
- Securing a work-from-home organization
- Getting Okta data into the Splunk platform
- Enabling Okta single sign-on in the Splunk platform
- Running common General Data Protection Regulation (GDPR) compliance searches
- Detecting brute force access behavior
- Routing root user events to a special index
- Securing the Splunk platform with TLS
- Securing the Splunk Cloud Platform
- Implementing business, data, and security compliance
- Monitoring Windows account access
- Finding interactive logins from service accounts
- Securing a work-from-home organization
Use cases for Splunk security products
- Detecting non-privileged user accounts conducting privileged actions
- Monitoring medical record numbers for anomalous access
- Disabling inactive users on AWS
- Monitoring for signs of a Windows privilege escalation attack
- Enabling an audit trail from Active Directory
- Configuring Windows security audit policies for Enterprise Security visibility
- Configuring Windows event logs for Enterprise Security use
- Using the Splunk Enterprise Security assets and identities framework
- Disabling a user account with Azure AD Graph connector
- Detecting password spraying attacks within Active Directory environments
- Detecting Office 365 attacks
- Detecting cloud federated credential abuse in Windows
- Detecting cloud federated credential abuse in AWS