Shine a light on who is accessing what, where, and when.
Functioning and secure authentication is critical to every business and this is why monitoring authentication activities is an ongoing task for organizations of every size. Automating this task requires complex foundational logic that includes data normalization, parsing rules, data enrichment, correlation alerts, dashboards, and alerts, etc.
Every IT team wants the task of monitoring authentication automated and most IT teams don't have the time to build it. And that is why we built it for you.
Authentication is the first module in the Illuminate application. It creates a foundation to normalize all authentication data, regardless of source. As a result, you get consistency in reporting, alerting, and analysis plus the power to easily correlate authentication data across different types of data sources.
AUTHENTICATION LOG DATA MONITORING AND ANALYSIS MADE EASY
Built by Graylog’s Enterprise Intelligence team, Graylog Illuminate for Authentication benefits everyone on the IT team, and by extension the entire company. It eliminates the manual set up necessary to detect, monitor, and analyze authentication issues across your IT infrastructure.
Initially, Illuminate for Authentication will spotlight Windows authentication issues and activities. Since Windows authentication data is by far the most common and the most voluminous source of authentication log messages throughout the world, starting there is how Graylog delivers the most value to our Enterprise customer base.
How it works
Graylog Illuminate for Authentication comes with Windows focused data normalization, parsing rules, data enrichment, correlation alerts, dashboards, and alerts. Once deployed, Graylog Enterprise customers will save hundreds of hours, be able to leverage our in-house expertise and gain visibility into who is trying to log into what throughout your IT environment.
From there data enrichment such as geolocation or tagging an IP address as internal or external is applied. With data fields aligned, properly classified, and useful information added to the log messages all authentication data can then be analyzed consistently. This enables you to see all your authentication data in one chart, run traces of user activity across different types of endpoints and apps, and build “universal” alerts and dashboards.
Spotlight on Windows for Authentication
The Graylog Illuminate Windows Auth Spotlight relies on log delivery agents such as Winlogbeat or NXLog, which can be deployed and managed with Graylog Sidecar. Sidecar connects these agents to Graylog in a centralized and stackable configuration. Illuminate then parses and normalizes that data so that fields can be processed in the same way, regardless of what the original data source calls them, and numeric fields or date fields are handled appropriately.
Spotlight on Okta for Authentication
The Graylog Illuminate Okta Spotlight enhances the Okta Input introduced in Graylog v3.3. By extracting and normalizing the Okta System Logs, it provides the analyst with insight and actionable information into the utilization and activities taking place in one or more Okta Organizations. Okta uses the API pull method to grab the data, and from there, using Okta’s built-in categories, event names, SSO target application, and other criteria, Okta events are searchable.
The Data is in the Dashboards
The Dashboards are where Graylog’s Illuminate for Authentication shines, giving light to key log events in aggregate as well as specific Windows and Okta account investigation drill down, and device investigation drilldown. All the dashboards are designed with widgets so you can drill down into authentication activities that you want to investigate.
For example, the Enterprise Dashboard includes several widgets for monitoring successful and failed authentication counts and trending across your entire IT environment. If there is an increase in failed logins on the Failed Authentication widget from the last time the search was run, you will see it in a color-coded bar. To investigate the anomalous activity, click the that bar in the chart and begin exploring.
WINDOWS: Kerberoasting (identifying unsecure authentication requests) has been around for a while but it still happens regularly. Illuminate Windows Authentication Dashboard comes with a widget specifically designed for detecting Kerberoasting. It displays the number of weak encryption Kerberos ticket requests so that you can update them to prevent attacks.
WINDOWS: Graylog Illuminate for authentication includes Windows Authentication and Enterprise Dashboards with an Error Codes by Count widget for detecting service account password expirations in record time. For example, service accounts experiencing failed logins can cause outages and/or data errors. You want to know right away when this happens, ideally before users are impacted.
OKTA: MFA (Multi-Factor Authentication) types let you see what users are using what protocols, or find out how many applications are getting used and how frequently they are accessing the applications protected by Okta. This eliminates the need to use the app by month resulting in license savings.
WINDOWS AND OKTA: Increased visibility into authentication activities usually uncovers performance and operational issues that you need to resolve. Expired service account passwords, which cause process failures and service account outages are the most common and these can go undetected for weeks or longer.
Password sprays are another common event that occurs on a regular basis. Illuminate for Authentication gives you insight into your environment in order to identify events and respond as appropriate. If you want to monitor these events over time, we give you an alert that triggers when one source is responsible for 15 or more failed password attempts for 3 or more different user accounts in a 10 minute period of time, and from there you can take the necessary investigative steps to prevent a security breach.
Frequently Asked Questions
Graylog Illumination Windows Spotlight requires Graylog Enterprise v3.3+. (v3.2 will also work in a limited capacity.), Active Directory, and works with WinLogBeats 6.4 (included with Sidecar), Winlogbeats 7.6, or NXLog 2.1 or syslog log shippers. Okta Spotlight requires v3.3 and API.
No, the schema is foundational to ensuring that data enrichment, alerts, search templates, dashboards, and reports all work across all data sources so that you can combine, correlate, and analyze authentication data across endpoints, apps, and networking equipment. You are welcome to make a copy and customize it, but future Illuminate updates will not be applied and may not work.
No, the schema is foundational to ensuring that data enrichment, alerts, search templates, dashboards, and reports all work across all data sources so that you can combine, correlate, and analyze authentication data across endpoints, apps, and networking If you want Dashboards and Alerts (Windows only)that are different from what comes with the app, we recommend you create copies and make changes from there to ensure future updates do not overwrite your customizations.equipment. You are welcome to make a copy and customize it, but future Illuminate updates will not be applied and may not work.