Privileged User Monitoring
Attackers are increasingly using privileged user credentials to access corporate resources, sensitive information and exfiltrate sensitive data. Privileged user accounts are accounts with elevated privileges, such as users with Domain Administrator rights or root privileges. Effective privileged user monitoring (PUM) helps organizations to protect critical assets, meet compliance requirements and mitigate both external threats and insider threats.
The Solution
Splunk Enterprise Security (ES) has built-in Identity and User dashboards, reports and alerting capabilities to track privileged user activity and to provide intelligence to protect your environment from internal and external attackers. Splunk ES also includes built-in correlation searches that report on privileged user activity across security domains.
Data Sources
Configure data from identity servers or directory servers such as Active Directory (AD) or LDAP.
Configuration
Start with Splunk Cloud and install ES (version 4.0 or later). In ES configure, an identity lookup that contains privileged user account information.
Workflow
Overview
The Identity Center dashboard in ES provides a snapshot of users and serves as a good starting point to monitor privileged users.
This dashboard has panels on identity data including a list of account names, account categories, department and other associated information. The identity data is used by Splunk Cloud to correlate user information to indexed events, providing detailed context.
Privileged User Monitoring Dashboard
Splunk Enterprise Security (ES) includes two reports that represent privileged user activity. These reports help determine the current status of privileged account usage in your environment, and you can create a dashboard to monitor the reports and those users easily.
1. Privileged account usage over time shows the total count of events over time that included a privileged user account. This report indicates the pattern of normal privileged account usage and identifies unusual or unexpected activity.
2. Privileged accounts in use shows privileged accounts in use during the selected time frame, as well as how many times the accounts have been used to log in. This report identifies rarely used accounts that suddenly show bursts of activity.
By creating a Privileged User Monitoring dashboard, privileged user account activity can be easily viewed from the two reports.
Insight into Privileged User Activities
To gain further insight into the activities of privileged users in your environment, an analyst can create correlation searches to produce notable events. For example, you can create a correlation search that identifies privileged users attempting to authenticate to an application at the same time, but from different hosts, or track when a privileged user upload a large file to a domain with “.ru.” With Splunk ES, it’s easy to create correlation searches using the guided mode, and using the Access and Identities data models to provide the detailed insight.
Summary
The Identity Center and Privileged User Monitoring dashboards provide summary overviews of privileged user activities. Correlation searches that use privileged user account data and network, endpoint, threat intelligence and application data, provide detailed information to determine the scale of potential threats and act on them, and start remedial activity.
For additional details, please refer to the Splunk Enterprise Security Use Case Documentation.