Use correlation searches to monitor accounts

1. Ram uses the following correlation searches available by default in Splunk Enterprise Security to monitor account activity:
   • Account Deleted: Detects user and computer account deletion.
   • Completely Inactive Account: Discovers accounts that are no longer used. It's a good idea to disable unused accounts because they are often used by attackers to gain unauthorized access.
   • Inactive Account Activity Detected: Discovers previously inactive accounts that are now being used. Reactivated accounts might be due to an attacker that successfully gained access to an account that was no longer being used.
   • New User Account Created on Multiple Hosts: Alerts when a previously unseen account is created on multiple hosts.
   • Short Lived Accounts: This search detects accounts that were created and deleted in a short time period.
2. Ram uses the following correlation searches that are available by default in Splunk Enterprise Security to identify potential risk events through compromised user credentials.
   • Geographically Improbable Access Detected: Alerts on access attempts that are improbable based on time and geography.
   • Concurrent Login Attempts Detected: Alerts on concurrent access attempts to an app from different hosts. These access attempts are good indicators of shared passwords and potential misuse.
3. Ram uses these correlation searches to see if a password is being used in a suspicious manner, even if the authentication is successful. However, these correlation searches generate numerous notable events.
4. Ram can also create his own correlation searches to identify if there was an increase in the number of host systems that a user logged into or whether there was a new interactive login from a service account.