Increased visibility into security and infrastructure
EDUCATION
Our client in the education sector is responsible for managing an environment comprising of thousands of accounts, generating millions of authentication attempts each day. To facilitate increased visibility and alerting on anomalous activity within the environment, Chamonix was engaged to develop new data analytics, searching, and reporting functionality using Splunk Cloud.
The engagement focused on reviewing current configuration of the client’s enterprise systems and enabling additional authentication and privileged event logging on Microsoft Active Directory Domain Controllers and ingesting the data into the Splunk platform. This involved a significant change to existing logging, building new Group Policy Objects to capture the logs, new on-premises Splunk infrastructure to create a data forwarding tier, and the rollout of Splunk Universal Forwarders to individual machines to capture relevant log files. Additionally, logs were gathered from Microsoft Azure with custom Python-based modular inputs created to correlate user accounts accessing on-premises and cloud infrastructure. Using data from this source we then created dashboards and alerts for the following objects:
- Active Directory health
- Anomalous or prohibited authentication attempts
- Lateral movement
- Concurrent access
- Elevated actions performed on privileged and unprivileged accounts
The increased visibility provided by the Splunk Cloud implementation has already paid dividends, allowing our client to capture anomalous login events and update security policies to prevent users from logging into machines with privileged accounts, and keep external service providers in check.
Upon completion of the initial engagement, Chamonix proposed and completed additional data source ingestion from file shares and ServiceNow ITSM to provide logging for file creation/deletion events and provide deep insights into the business’ service desk operations.
