Skip to main content
 
 
Splunk Lantern

Authentication data

 

Network and local authentication data shows sign-on and sign-off events, the status of such events, the source and destination addresses, the service name, and time of occurrence. These values are used to track who succeeded in gaining access to a computing asset, when the access took place, access duration, and the frequency of access. It also tracks failed access attempts. Additionally this data source often tracks authorization settings so that after an identity is authenticated, what that identity is authorized for can be verified. Authentication data includes:

  • Active Directory. a distributed directory in which organizations define user and group identities, security policies and content controls.
  • LDAP. an open standard defined by the IETF and is typically used to provide user authentication (name and password). It has a flexible directory structure that can be used for a variety of information such as full name, phone numbers, email and physical addresses, organizational units, workgroup and manager.
  • Identity Management: identity management is the method of linking the users of digital resources—whether people, IoT devices, systems or applications—to a verifiable online ID.
  • Single Sign-On (SSO). a process of using federated identity management to provide verifiable, attestable identities from a single source to multiple systems. SSO significantly increases security by tying user credentials to a single source, allowing changes to user rights and account status to be made once, and reflected in every application or service to which the user has access. SSO is particularly important for users with elevated security rights such as system or network administrators that have access to a large number of systems.

In the Common Information Model, authentication data is typically mapped to the Authentication data model

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: 

Use cases for Splunk security products

Be sure to explore the Splunk Security Content site to see what detections you can run in Splunk Enterprise Security with Authentication data.

Use cases for Splunk Observability Cloud