Local authentication data is a type of authentication data that captures sign on and sign off events involving local accounts maintained within an operating system or an application. Data is collected from text log files hosted within the operating system. On *nix systems, the logs can be monitored directly, while on Windows they are collected via the event log interface.
This data source shows logon and log off events, the status of these events, the source addresses, user names, service names, and the time of occurrence. These values are used to track who has succeeded in gaining access to a computing asset, when the access took place, access duration, and frequency of access. It also tracks failed access attempts. Additionally, this data source often tracks authorization settings so that after an identity is authenticated, what that identity is authorized to do can be verified. Authentication and authorization attributes are necessary for cyber security investigations and meeting compliance standards for security controls and data privacy.
When your Splunk deployment is ingesting local authentication data, you can use the data to achieve objectives related to the following use cases:
- Recognizing improper use of system administration tools
- Monitoring for signs of Windows privilege escalation attacks
- Complying with General Data Protection Regulation
This data type has many available fields, but users typically derive the most value out of the fields listed here.
Action performed on the resource.
Application involved in the event.
Method used to authenticate.
String to describe the authentication action (success or failure).
String or identifier that a user attempted to login with.
Note that the names of these fields vary, depending on the data source. The Splunk Common Information Model (CIM) can be added to your deployment to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations. In the Common Information Model, local authentication data is typically mapped to the Authentication and Endpoint models.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In. In addition, the following data sources have add-ons and apps available in Splunkbase to optimize data collection and help you with analysis and visualizations.