Use Dashboards to track user behavior
Ram uses the following dashboards in Splunk Enterprise Security to monitor and track user account activity: Access Center Access Tracker Access Search Account Management Default Account Activity User Activity Identify Investigator
The Access Center dashboard helps Ram to automatically track account creation, updates to accounts, and deleted accounts across all data sources. Using the Access Center dashboard, Ram gets a summary of all authentication events, such as brute-force attacks, use of clear text passwords, or access to certain systems outside of work hours. This dashboard helps Ram to identify all security incidents that involve authentication attempts.
The Access Tracker dashboard provides Ram with an overview of account statuses, tracks newly active or inactive accounts, tracks accounts that have been inactive for a period of time but recently became active, and discovers accounts that are not properly de-provisioned or inactivated when a person leaves the organization. Because inactive accounts or improperly active accounts are vulnerable to attackers, Ram believes that it is a good idea to check the Access Tracker dashboard on a regular basis. Ram also uses this dashboard during investigations to identify suspicious accounts and closely examine user access activity. The Access Search dashboard helps Ram to find specific authentication events for ad-hoc searching of authentication data or to drill down on searches.
The Account Management dashboard enables Ram to identify changes to user accounts, such as account lockouts, newly created accounts, disabled accounts, and password resets. Ram knows that a sudden increase in the number of accounts created, modified, or deleted can indicate malicious behavior or a rogue system and a high number of account lockouts can indicate an attack.
The Default Account Activity dashboard helps Ram to locate any activity on "default accounts", or accounts enabled by default on various systems, such as network infrastructure devices, databases, and applications. The Default Account Activity dashboard helps Ram to identify the usage of more than 50 common default accounts from various vendors and software products. Default accounts have well-known passwords and are often not disabled properly when a system is deployed.
Occasionally, Ram wants to investigate an account from a historic or forensic perspective. Viewing an account from a historical perspective allows Ram to receive an indication from a third party that a user needs some scrutiny, like if human resources or the internal fraud department of Buttercup Games flags a user for review, and requests a complete timeline of that account's network activity and access patterns. Ram then uses the User Activity and Identity Investigator dashboards in Splunk Enterprise Security to help him investigate the accounts.
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.2.0