Splunk® Enterprise Security

Use Splunk Enterprise Security

Acrobat logo Download manual as PDF


Splunk Enterprise Security version 4.2.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

User Activity Monitoring

User Activity

The User Activity dashboard displays panels representing common risk-generating user activities such as suspicious website activity. For more information about risk scoring, see "Risk scoring" in this manual.

Dashboard filters

You can use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key security indicators.

Filter by Description Action
User A known or unknown identity Text field. Empty by default. Wildcard strings with an asterisk (*)
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Watchlisted Users Designates a monitored identity. Drop-down: select to filter by
Time Range Select the time range to represent. Drop-down: select to filter by

Dashboard Panels

Panel Description
Key Indicators Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See "Key indicators" in this manual.
Users By Risk Scores Displays the top 100 highest risk users. As an insider threat can represent subtle and indirect changes in behavior, this panels assists an analyst in focusing on the riskiest users in the organization. The drilldown opens the "Identity Investigator" dashboard and searches on the selected user.
Non-corporate Web Uploads Displays high volume upload and download activity by user. An irregular pattern of upload or download activity can be an indicator of data exfiltration. The drilldown opens the "Identity Investigator" dashboard and searches on the selected user.
Non-corporate Email Activity Displays the top 100 users performing high volume email activity to non-corporate domains. A pattern of large or high volume email activity can be an indicator of data exfiltration. The drilldown opens the "Identity Investigator" dashboard and searches on the selected user.
Watchlisted Site Activity Displays web access by user. Accessing specific categories of web sites while using workplace resources and assets can be an indicator of insider threat activity. The drilldown opens the "Identity Investigator" dashboard and searches on the selected user.
Remote Access Displays remote access authentication by user. A user performing risky web or email activity while using remote access services can be an indicator of data exfiltration, or exploited credentials. The drilldown opens the "Identity Investigator" dashboard and searches on the selected user.
Ticket Activity Displays ticketing activity by user. A user performing risky web or email activity while filing tickets to provide additional services or internal access can be an indicator of data exfiltration, or exploited credentials. The drilldown opens the "Identity Investigator" dashboard and searches on the selected user.

Data sources

The reports in the User Activity dashboard reference data fields in multiple sources. Relevant data sources include proxy servers, gateways and firewalls, or other sources that reference a distinct user. In order for the dashboards to populate, new lookup content and fields in the identities list must be added. For a list of additional data sources, see "Dashboard Troubleshooting" in this manual..

Access Anomalies

The Access Anomalies dashboard displays concurrent authentication attempts from different IP addresses and improbable travel anomalies using internal user credentials and location-relevant data.

Dashboard filters

Use the available dashboard filters to refine the results displayed on the dashboard panels.

Filter by Description Action
Action A successful or failed authentication attempt Drop-down: select to filter by
App The application field in the authentication data model Drop-down: select to filter by
User A known or unknown identity Text field. Empty by default. Wildcard strings with an asterisk (*)
Business Unit A group or department classification for the identity. Text field. Empty by default. Wildcard strings with an asterisk (*)
Time Range Select the time range to represent. Drop-down: select to filter by

Dashboard Panels

Panel Description
Geographically Improbable Accesses Displays users that initiated multiple authentication attempts separated by an improbable time and distance. Authenticating from two geographically distant locations in a time frame lower than typical transportation methods provide can be an indicator of exploited credentials. The drilldown opens the "Access Search" dashboard and searches on the selected user.
Concurrent Application Accesses Displays users that initiated multiple authentication attempts from unique IP addresses within a short time span. This pattern of authentication can be an indicator of shared or stolen credentials. The drilldown redirects the page to the "Access Search" dashboard and searches on the selected user.

Data sources

The reports in the Access Anomalies dashboard reference data fields in the Authentication data model. Relevant data sources include proxy servers, gateways and firewalls, or other sources that reference a distinct user. See "Dashboard Troubleshooting" in this manual.

Troubleshooting

This dashboard references data from various data models. Without the applicable data, the dashboards will remain empty. See "Dashboard Troubleshooting" in this manual.

Last modified on 21 September, 2016
PREVIOUS
Asset and Identity Investigator dashboards
  NEXT
Asset and Identity management

This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters