TIPS & TRICKS TIPS & TRICKS

Splunking Box Data – User Authentications

The Splunk Add-on for Box collects a lot of valuable data including Box users, files, folders, groups, and more.  Included in the Splunk Add-on for Box are several pre-built panels to get quick insights into this data.  The purpose of this post is to introduce various use cases around Box data included in the pre-built panels and custom searches and visualizations not included in the pre-built panels.

User Authentications

Before a user can access Box content, they have to authenticate.  It is important to keep an eye on the percentage of failed logins, where logins are coming from, user accounts associated with failed logins, etc.  The Splunk Add-on for Box has an event type named box_events_authentication that gives you all the raw Box authentication events.  Using this event type, we can get a good amount of intelligence about our user authentications.

Percentage of Failed Logins

Knowing the percentage of failed logins over time can help you get a baseline for your environment and possibly set up an alert if you see the percentage spike outside the normal range.  This could indicate malicious activity.  Here is an example search and visualization:

Search:

eventtype=box_events_authentication action!=”unknown” | stats count by _time action ip_address | timechart count by action limit=10 usenull=f |  eval pct_failed=failure/(failure+success)*100 | eval pct_failed=round(pct_failed,1) | rename pct_failed AS “% Failed”

Visualization:

Box - login failed percent

 

Logins on a Map

Another compelling use case for this Box authentication data is geographically mapping successful and failed logins on a map.  This help you quickly identify if you are seeing login events from regions you do not expect.  Here is an example search and visualization:

Search:

eventtype=box_events_authentication action!=”unknown” | stats count by _time action ip_address | iplocation ip_address | geostats count by action

Visualization:

Box - login activity map

 

 

Putting it all Together

To make life easier and so that you can follow along at home, I have created a public GitHub repo that has these use cases pre-built.  I will be adding to this repo as this blog series progresses.

https://github.com/splunk/splunk-app-box

 

Jason Conger
Posted by Jason Conger

Join the Discussion