Dashboards and reports on Authentication events in Splunk.
Author | Aplura, LLC |
App Version | 1.3.4 |
App Build | 186 |
Creates an index | False |
Implements summarization | No |
Summary Indexing | False |
Data Model Acceleration | If Enabled |
Data Model | Authentication |
Report Acceleration | False |
Splunk Enterprise versions | 9.2, 9.1, 9.0, 8.2, 8.1, 8.0 |
Platforms | Splunk Enterprise, Splunk Cloud |
This App provides the following scripts:
Diag.py
For use with the diag
command.
version.py
For use with keeping track of the version number within Python scripts.
app_properties.py
Provides app properties for python files.
Most sourcetypes contain authentication events of some sort. This app provides Splunk dashboards, forms, and reports which can be used to explore your authentication events across your different sourcetypes.
To do this, the app relies on the Splunk Common Information Model (CIM) for authentication events. This means that the app can report on any authentication data, as long as it has been on-boarded properly, and is available through the Authentication data model.
This app requires data model acceleration, which will use additional disk space. If you are using the Splunk App for Enterprise Security, this is already enabled, and should have been factored into your retention policies. If not, you should review the documentation on data model acceleration, how it uses disk space, and how to plan for it.
As mentioned above, the app uses the CIM for authentication events. The CIM allows you to take events from a number of sources or products, and report on them in one cohesive manner, using a common set of names for fields and event types.
Provides a starting point for exploring your authentication events. Most panels will drill-down to other pages in the application.
A view based on a single users authentication activity.
Authentication events which appear to come from a single source.
Authentication events where users are authenticating against the same destination.
Panels which focus on events which all are from the same application (win:local, ssh, vpn, etc).
A view based in the action (success
, failure
, unknown
) from the authentication event.
Reports on default authentication occurring in the environment. See the Customization section of this document for more information about how this dashboard can be customized for your deployment.
Reports on privileged authentication occurring in the environment. See the Customization section of this document for more information about how this dashboard can be customized for your deployment.
A form for finding events based on various field values.
Where in the World are authentications originating? View that here.
Information about the sourcetypes which are present in the accelerated data.
A simple HTML version of this document.
Configure PAVO Authentication App for Splunk
PAVO Authentication App for Splunk contains the following lookup files.
apl_aut_default_users.csv
apl_aut_priv_users.csv
PAVO Authentication App for Splunk does not include an event generator.
Summary Indexing: No
Data Model Acceleration: If Enabled
Report Acceleration: No
Added Data Transparency Overview dashboard under advanced menu
Added PAVO Banner Service
Compatibility for jQuery 3.5
Add filter on source profile dashboard
Fix issue with search query
Update title on dashboards
Documentation Fixes
Initial Release
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.