|Creates an index||false|
|Implements summarization||Currently, the app does not generate summaries|
Dashboards and reports on Authentication events in Splunk.
This App provides the following scripts:
|Diag.py||For use with the diag command.|
Version 1.3.1 of PAVO Authentication App for Splunk is compatible with:
|Splunk Enterprise versions||8.0, 7.3, 7.2, 7.1, 7.2|
Most sourcetypes contain authentication events of some sort. This app provides Splunk dashboards, forms, and reports which can be used to explore your authentication events across your different sourcetypes.
To do this, the app relies on the Splunk Common Information Model (CIM) for authentication events. This means that the app can report on any authentication data, as long as it has been on-boarded properly, and is available through the Authentication data model.
This app requires data model acceleration, which will use additional disk space. If you are using the Splunk App for Enterprise Security, this is already enabled, and should have been factored into your retention policies. If not, you should review the documentation on data model acceleration, how it uses disk space, and how to plan for it.
As mentioned above, the app uses the CIM for authentication events. The CIM allows you to take events from a number of sources or products, and report on them in one cohesive manner, using a common set of names for fields and event types.
Provides a starting point for exploring your authentication events. Most panels will drill-down to other pages in the application.
A view based on a single users authentication activity.
Authentication events which appear to come from a single source.
Authentication events where users are authenticating against the same destination.
Panels which focus on events which all are from the same application (win:local, ssh, vpn, etc).
A view based in the action (
unknown) from the authentication event.
Reports on default authentication occurring in the environment. See the Customization section of this document for more information about how this dashboard can be customized for your deployment.
Reports on privileged authentication occurring in the environment. See the Customization section of this document for more information about how this dashboard can be customized for your deployment.
A form for finding events based on various field values.
Where in the World are authentications originating? View that here.
Information about the sourcetypes which are present in the accelerated data.
This app depends on data models included in the Splunk Common Information Model Add-on, specifically the
Authentication data model. Please review the information on installing and using the Splunk Common Information Model Add-on and information on configuring the acceleration on the data model.
The Splunk Common Information Model Add-on can be downloaded from Splunkbase.
This app has been tested with versions 4.8 of the CIM add-on.
In order to make the app respond and load quickly, accelerated data models are used to provide summary data. For this data to be available, the
Authentication data model must be accelerated. Information on how to enable acceleration for the
Authentication data model can be found here. The data model must be accelerated for the length of time for which you would like to see reporting.
There are two macros which may be customized to help this app fit into your environment, and make use of other lookups (possibly the ones from the Splunk App for Enterprise Security). In both of these cases, the result is that the search in the macro should output a user field which contains the users appropriate for your environment.
Used for the
Default Authentication dashboard. This list was put together from multiple sources, and may not contain all of the default users which may be available in your environment.
Used for the
Privileged Authentication dashboard. This list was put together from multiple sources, and may not contain all of the privileged users which may be available in your environment.
We strongly suggest that if you want to use customized versions of these lookups, you create new configurations for additional lookups, rather than editing the .csv files included in the app. Splunk lookup files are not upgrade safe, so future versions of the app may contain lookup files which may overwrite your customizations.
Version 1.3.1 of PAVO Authentication App for Splunk has the following known issues:
Access questions and answers specific to PAVO Authentication App for Splunk at https://answers.splunk.com . Be sure to tag your question with the App.
Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Download PAVO Authentication App for Splunk at https://splunkbase.splunk.com/app/4227.
This app should be installed on a search head where the
Authentication data model has been accelerated. More information on installing or upgrading Splunk apps can be found here.
Follow these steps to install the app in a single server instance of Splunk Enterprise:
PAVO Authentication App for Splunk contains the following lookup files.
PAVO Authentication App for Splunk does not include an event generator.
Version 1.3.1 of PAVO Authentication App for Splunk incorporates the following Third-party software or third-party services.
2019, Aplura, LLC.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.