Network authentication is a type of authentication data that captures sign-on and sign-off events involving network services. Common technology sources for network authentication are Okta, Active Directory, AzureAD, LDAP, and Shibboleth and Radius systems. VPN systems also track authentication and authorization events, along with other functions. Network authentication is different from local authentication because local authentication relies solely on local files or settings to confirm login credentials and authorization level to assets on the local host.
This data source shows sign-on and sign-off events, the status of such events, the source and destination addresses, the service name, and time of occurrence. These values are used to track who succeeded in gaining access to a computing asset, when the access took place, access duration, and the frequency of access. It also tracks failed access attempts. Additionally this data source often tracks authorization settings so that after an identity is authenticated, what that identity is authorized for can be verified. Authentication and authorization attributes are necessary for cyber security investigations and meeting compliance standards for security controls and data privacy.
When your Splunk deployment is ingesting Network authentication events, you can use the data to achieve objectives related to the following use cases:
- Detecting techniques in the Orangeworm attack group
- Monitoring for signs of Windows privilege escalation attacks
- Securing a work-from-home organization
- Complying with General Data Protection Regulation
This data type has many available fields, but users typically derive the most value out of the fields listed here.
Action performed on the resource (endpoint) commonly set values such as success, failure, pending, and error.
Target involved in the authentication, commonly set to an IP address or hostname.
Name of the Active Directory used by the authentication target, if applicable.
Source involved in the authentication, commonly set to an IP address or hostname.
Actual string or identifier that a user logs in with.
Note that the names of these fields vary, depending on the data source. The Splunk Common Information Model (CIM) can be added to your deployment to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations. In the Common Information Model, Network authentication is typically mapped to the Authentication, Certificates and Endpoint models.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In. In addition, the following data sources have add-ons and apps available in Splunkbase to optimize data collection and help you with analysis and visualizations.