Server Least Privilege Using Splunk’s Enterprise Audit Data Consumption

Paul Harper, Product Manager
September 20th, 2018

PowerBroker for Unix & Linux primary functions are to control what a user can and cannot do when working on a Unix or Linux system – this may or may not include the elevation of a user’s credentials. In addition to the control, the other key function of the product is to audit user activity, even down to the session level, which includes system level activity, beyond just what the user has typed on the command line. This function by itself generates extremely large amounts of audit data, and one of the most powerful features of Splunk is its ability to rapidly ingest, index, and present very large amounts of data.

While PowerBroker for Unix & Linux ships with its own log file indexing system (SOLR) and centralized reporting system (BeyondInsight), many organizations opt for consolidating all of their security information into one SIEM, such as Splunk.  PowerBroker for Unix & Linux has long supported (and will continue to support) all common SIEM platforms by leveraging the syslog facility and allowing users to pick and choose what variable information from each event type would be sent to the SIEM.  In talking with our customers, a common request has been for native and out-of-the-box integration to allow faster integration between PowerBroker for Unix & Linux and Splunk, which is what we are delivering today.

The Splunk Application for PowerBroker Unix & Linux provides a real-time, centralized view of privileged access activities across your hybrid server environment – with extensive visibility that allows for faster forensics and risk mitigation to identify potential misuse of privileged accounts.

Key Features for Splunk Integration:

  • Detailed search and reporting across Unix and Linux privilege use
  • Privilege command activity data indexed and filterable
  • Recorded session data indexed and filterable
  • System-level control data indexed and filterable
  • Privilege usage dashboard

To learn more, download our Splunk solution brief.

PowerBroker for Unix & Linux Requirements for Splunk Integration:

PowerBroker for Unix & Linux 10.0.1 or higher.
PowerBroker Unix & Linux App for Splunk v1.0 or higher (available from the Splunk App Store)

Paul Harper, Product Manager

Paul Harper is product manager for Unix and Linux solutions at BeyondTrust, guiding the product strategy, go-to-market and development for PowerBroker for Unix & Linux, PowerBroker for Sudo and PowerBroker Identity Services. Prior to joining BeyondTrust, Paul was a senior architect at Quest Software/Dell. Paul has more than 20 years of experience in Unix/Linux operations and deployments.