IS Decisions logo

How to integrate Splunk with UserLock

Learn how UserLock integrates with SIEMs like Splunk to provide real-time authentication data.

Published January 16, 2025
UserLock integration

Employee credentials have long been the soft underbelly of security and it’s no mystery as to why. Stolen credentials let attackers impersonate legitimate users, making them harder to detect. Security teams need clear visibility into login and authentication events to detect potential threats and respond quickly. Security Information and Event Management (SIEM) tools like Splunk make this possible by analyzing large amounts of event data for patterns and anomalies. But first, they need to gather this data.

UserLock integrates with Splunk in two ways to provide real-time authentication data. With UserLock, teams can track events such as failed logins, password changes, and multi-factor authentication (MFA) attempts, ultimately spotting suspicious activity faster and setting up automatic responses to protect the network.

What do SIEMs do: Giving security teams the big picture

What is network security? In many cases, the simplest answer is visibility. If you can “see” or detect the data traces and anomalies left by attackers, you can block their path into the network. However, a stumbling block is that even small networks generate large amounts of data, most of it completely routine and inconsequential.

SIEM tools overcome this problem of separating "good" data from "bad" data. Increasingly offered through software-as-a-service (SaaS) platforms, today’s SIEMs absorb and process data from as many sources as possible, including firewalls, as well as applications and many other devices. Once inside a SIEM, data is correlated and analyzed, generating real-time security alerts that filter significant events from the mass of background noise.

In the past, manually filtering data from a handful of systems was seen as sufficient. Today, we better understand the limitations of this approach. Getting data and logs from every possible source is the new normal, something that only large, automated systems can possibly handle.

How hackers hide in data noise

The growth in machine-generated data over recent decades is one of computing’s biggest evolutions. Machine data used to be routine data from devices such as PCs, printers, and servers signaling their status as they started, shut down or rebooted. Then networks became more complex and machine-generated data collected in log files expanded massively to encompass every device and activity as well as what was going on inside applications.

Most people see networks as something that is full of physical or virtual objects such as computers and applications. However, another way to understand networking is as a web of objects generating and communicating data every time something occurs. SIEMs simply listen to and record the traces of these events to gain a deeper data-driven picture of what the network is doing at any moment in time.

How UserLock sends authentication data to Splunk

Receiving data on authentication events is hugely important for teams using SIEMs such as Splunk. You can integrate UserLock data with Splunk in two ways:

  • Read directly from the UserLock database: Splunk can pull data from a database. It just needs a rising column, mandatory to retrieve records without missing some or retrieving others twice. Here’s more information from Splunk on creating and managing database inputs.

  • Use a webhook: Here, there’s no direct integration, because the HTTP Event collector uses an authentication header not included by default in UserLock. Clients who want this functionality generally develop a simple program to send the access events from the UserLock webhook to the Splunk webhook adding the Splunk Authentication header.

How webhook data works with Splunk

It’s an incredibly simple concept. Every time an authentication event occurs, for example, when a user attempts MFA after entering credentials, this is published to a unique URL in a JSON or XML format. The receiving SIEM can then poll this URL to extract the data. This is a webhook. The sender, in this case UserLock, pushes data to a web URL and the application, Splunk (or another SIEM), pulls it in.

Importantly, this data can be used to record not only the fact of authentication but its deeper context. For example, in addition to the user’s ID a JSON might also record:

  • The event’s timestamp

  • The IP address or geo-location of the user

  • The type of authentication used

  • Whether the authentication was passed

  • Any messages or errors the user generated while authenticating

If the user failed authentication or changes their password this will be recorded too, with subsequent webhooks publishing that a user has locked/unlocked their workstation or logged off.

Because an attacker can spoof JSON notifications, UserLock applies a unique and secret “UserLock ID” field to be set for its communication. This identifies the notification as coming from UserLock and not an attacker.

Authentication data improves security and enables automations

SIEMs are hungry systems. The more data they’re fed, the better the odds that IT teams can use them to spot anomalies or compromise attempts. At any moment, this data could be hugely significant, allowing security teams to set up automations such as blocking an Active Directory (AD) user following a suspicious logon event.

But it’s not all about SIEMs generating alerts. SIEM integration also makes possible a wide range of automations with third-party applications. For example, data from these events can be used to accurately log employees’ work hours and overtime, or to integrate with external applications that allow line managers to easily authorize temporary time extensions for a specific user.

Integrate Splunk with UserLock for more visibility

If an attack is underway, one of the first places it will show up is an authentication event. However, this data can often be ambiguous or appear normal, which means that separating the good from the bad can be hit and miss using a manual process. SIEMs including Splunk have taken some of the guesswork out of this by allowing rogue logins or attempted logins to be corelated with events elsewhere on the network, building a deeper picture.

UserLock supports this, giving defenders a rich source of intelligence on real-time events as well as for future analysis and reporting.

Security benefits hugely from this data sharing. IT security teams can monitor better, respond faster, detect threats earlier, and run more comprehensive auditing.

XFacebookLinkedIn
francois-amigorena-headshot
François AmigorenaPresident and CEO of IS Decisions