Topics

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Access Control: Alerts

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10

Access Control: Alerts

Anomalous Access

The Anomalous Access alert is designed to detect anomalous behaviors in access activity based on unique or total counts dictated by your organization's policy (thresholds).

The following search is responsible for gathering the anomalous access data:

Image:Ess_accesscontrol_anomalous_access.png

Search Output

The above search output's the following table:

src_bestmatch action app_count dest_count user_count total_count
172.19.150.58 failure 3 3 3 3
172.19.150.98 failure 2 3 3 3
10.127.1.16 success 1 3 2 387
172.19.150.140 failure 3 2 7 7
172.19.150.102 failure 3 2 6 6

The Results

The results of this search are further processed by a script that the search calls once it has finished. This allows us to:

  1. Filter the results by your organization's policy (thresholds).
  2. Polish the message associated with the report results.
  3. Integrate with your organization's notification systems

The Message

The Enterprise Security Suite is providing this notification on behalf of your organization's current Anomalous Authentication Policy. This notification contains an attachment with the 14 attacker(s) that generated authentication activity exceeding the following threshold(s).


A value of -1 indicates the policy is disabled:

Alert when an attacker fails authentication a total of 50 or more times

Alert when an attacker succeeds authentication a total of 10 or more times

Alert when an attacker fails authentication to 5 or more distinct applications

Alert when an attacker succeeds authentication to 8 or more distinct applications

Alert when an attacker fails authentication to 4 or more distinct targets

Alert when an attacker succeeds authentication to 3 or more distinct targets

Alert when an attacker fails authentication attempting 5 or more distinct user names

Alert when an attacker succeeds authentication using 11 or more distinct user names


This alert policy can be modified in the Admin->Applications->ESS-AccessControl->Configure menu within Splunk

Correlated Access

The Correlated Access alert is designed to correlate behaviors in access activity dictated by your organization's policy (thresholds).

The following search is responsible for gathering the correlated access data:

Image:Ess_accesscontrol_correlated_access.png

Search Output

The above search output's the following table:

src_bestmatch dest_bestmatch action total_count
172.19.150.106 acmeapp01.acmetech.com failure 4
172.19.150.106 domU-12-31-39-03-BD-A5 success 1
172.19.150.108 acmeapp01.acmetech.com failure 2
172.19.150.110 acmeapp01.acmetech.com failure 2
172.19.150.110 ubuntufish failure 1

The Results

The results of this search are further processed by a script that the search calls once it has finished. This allows us to:

  1. Filter the results by your organization's policy (thresholds).
  2. Polish the message associated with the report results.
  3. Integrate with your organization's notification systems

The Message

The Enterprise Security Suite is providing this notification on behalf of your organization's current Correlated Access Control Policy. This notification contains an attachment with the 2 attacker(s) that generated authentication activity exceededing the following threshold(s).


A value of -1 indicates the policy is disabled:

Alert when an attacker fails authentication 10 or more time(s) and then successfully authenticates to the same system 1 or more time(s)


This alert policy can be modified in the Admin->Applications->ESS-AccessControl->Configure menu within Splunk"


Adjusting Alert Frequencies

By default most alerts runs on a daily basis. This gives us a couple of advantages.

  1. We can detect "low and slow" attacks that may have been spaced out over a 24 hour period.
  2. You get one easy to use report everyday.

This can easily be adjusted and is described below:

  1. Edit the saved search used to generate the alert
    • Browse the Admin->Saved Searches-> menu and select the search you want to modify. In this example we select "Access - Anomalous Access - Last 24 hours.
    • Modify the search (as shown in the image below) to indicate "starthoursago=x" or "startminutesago=x" where 'x' is the number of hours or minutes to report across respectively
      Image:Ess_accesscontrol_timeadjust_search.png
    • Modify the schedule (as shown in the image below) to match the frequency coded in the search text in the previous step
      Image:Ess_accesscontrol_timeadjust_schedule.png
  2. Edit the policy subject
    • Browse the Admin->Applications->ESS-AccessControl->Configure menu and find the search you want to modify.
    • Change the response title (as shown in the image below) to reflect the changes made to the frequency in the previous steps
      Image:Ess_accesscontrol_timeadjust_configure.png


Retrieved from "http://www.splunk.com/base/Documentation/4.0/Apps/ESS_AccessControl_Alerts"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.