Splunk® Enterprise Security

Use Cases

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Use correlation searches to monitor accounts

  1. Ram uses the following correlation searches available by default in Splunk Enterprise Security to monitor account activity:
    • Account Deleted: Detects user and computer account deletion.
    • Completely Inactive Account: Discovers accounts that are no longer used. It's a good idea to disable unused accounts because they are often used by attackers to gain unauthorized access.
    • Inactive Account Activity Detected: Discovers previously inactive accounts that are now being used. Reactivated accounts might be due to an attacker that successfully gained access to an account that was no longer being used.
    • New User Account Created on Multiple Hosts: Alerts when a previously unseen account is created on multiple hosts.
    • Short Lived Windows Accounts: This search detects accounts that were created and deleted in a short time period.
  2. Ram uses the following correlation searches that are available by default in Splunk Enterprise Security to identify potential risk events through compromised user credentials.
    • Geographically Improbable Access Detected: Alerts on access attempts that are improbable based on time and geography.
    • Concurrent Login Attempts Detected: Alerts on concurrent access attempts to an app from different hosts. These access attempts are good indicators of shared passwords and potential misuse.
  3. Ram uses these correlation searches to see if a password is being used in a suspicious manner, even if the authentication is successful. However, these correlation searches generate numerous notable events.
  4. Ram can also create his own correlation searches to identify if there was an increase in the number of host systems that a user logged into or whether there was a new interactive login from a service account.
Last modified on 19 January, 2022
Classify accounts based on privileged access   Increase risk factors to identify unauthorized usage

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters