Access dashboards
The Access Protection domain monitors authentication attempts to network devices, endpoints, and applications within the organization. Access Protection is useful for detecting malicious authentication attempts, as well as identifying systems users have accessed in either an authorized or unauthorized manner.
Access Center dashboard
Access Center provides a summary of all authentication events. This summary is useful for identifying security incidents involving authentication attempts such as brute-force attacks or use of clear text passwords, or for identifying authentications to certain systems outside of work hours.
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key security indicators.
Filter by | Description | Action |
---|---|---|
Action | Filter based on authentication success or failure. | Drop-down: select to filter by |
App | Filter based on authentication application. | Drop-down: select to filter by |
Business Unit | A group or department classification for the identity. | Text field. Empty by default. Wildcard strings with an asterisk (*) |
Category | Filter based on the categories to which the host or user belongs. See Format an asset or identity list as a lookup in Splunk Enterprise Security in Administer Splunk Enterprise Security. | Drop-down: select to filter by |
Special Access | Restricts the view to events related to privileged access. See Administrative Identities in Administer Splunk Enterprise Security. | Drop-down: select to filter by |
Time Range | Select the time range to view. | Drop-down: select to filter by |
Dashboard Panels
Panel | Description |
---|---|
Access Over Time By Action | Displays the count of authentication events over time by action. |
Access Over Time By App | Displays the count of authentication events over time by app. For example, "win:local" refers to the local authentication performed on a Windows system and "win:remote" refers to remote API access. |
Top Access By Source | Displays a table of highest access counts by source. This table is useful for detecting brute force attacks, since aggressive authentication attempts display a disproportionate number of auth requests. |
Top Access By Unique Users | Displays a table of the sources generating the highest number of unique user authentication events. |
Access Tracker dashboard
The Access Tracker dashboard gives an overview of account statuses. Use it to track newly active or inactive accounts, as well as those that have been inactive for a period of time but recently became active. Discover accounts that are not properly de-provisioned or inactivated when a person leaves the organization.
As inactive accounts or improperly active accounts are vulnerable to attackers, it is a good idea to check this dashboard on a regular basis. You can also use this dashboard during an investigation to identify suspicious accounts and closely examine user access activity.
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key security indicators.
Filter by | Description | Action |
---|---|---|
Business Unit | A group or department classification for the identity. | Text field. Empty by default. Wildcard strings with an asterisk (*) |
Category | Filter based on the categories to which the host or user belongs. See Format an asset or identity list as a lookup in Splunk Enterprise Security in Administer Splunk Enterprise Security. | Drop-down: select to filter by |
Dashboard Panels
Panel | Description |
---|---|
First Time Access - Last 7 days | Displays new account access by user and destination. |
Inactive Account Usage - Last 90 days | Displays accounts that were inactive for a period of time, but that have shown recent activity. |
Completely Inactive Accounts - Last 90 days | Displays accounts that have shown no activity. Use this panel to identify accounts that should be suspended or removed. If the organization has a policy that requires password change after a specified interval, then accounts that have shown no activity for more than that interval are known to be inactive. This panel also indicates the effectiveness of the enterprise's policy for closing or de-provisioning accounts. If a large number of accounts display here, the process may need to be reviewed. |
Account Usage For Expired Identities - Last 7 days | Displays activity for accounts that are suspended within the specified time frame. Use this panel to verify that accounts that should be inactive are not in use. |
Access Search dashboard
Use the Access Search dashboard to find specific authentication events. The dashboard is used in ad-hoc searching of authentication data, but is also the primary destination for drilldown searches used in the Access Anomalies dashboard panels.
The Access Search page displays no results unless it is opened in response to a drilldown action, or you set a filter and/or time range and click Submit.
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key security indicators.
Filter by | Description | Action |
---|---|---|
Action | Filter based on authentication success or failure. | Drop-down: select to filter by |
App | Filter based on authentication application. | Drop-down: select to filter by |
Source | A string that the source field src must match. |
Text field. Empty by default. Wildcard strings with an asterisk (*) |
Destination | A string that the destination field dest must match. |
Text field. Empty by default. Wildcard strings with an asterisk (*) |
User | A string that the user field user must match. |
Text field. Empty by default. Wildcard strings with an asterisk (*) |
Time Range | Select the time range to view. | Drop-down: select to filter by |
Account Management dashboard
The Account Management dashboard shows changes to user accounts, such as account lockouts, newly created accounts, disabled accounts, and password resets. Use this dashboard to verify that accounts are being correctly administered and account administration privileges are being properly restricted. A sudden increase in the number of accounts created, modified, or deleted can indicate malicious behavior or a rogue system. A high number of account lockouts could indicate an attack.
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key security indicators.
Filter by | Description | Action |
---|---|---|
Business Unit | A group or department classification for the identity. | Text field. Empty by default. Wildcard strings with an asterisk (*) |
Category | Filter based on the categories to which the host or user belongs. See Format an asset or identity list as a lookup in Splunk Enterprise Security in Administer Splunk Enterprise Security. | Drop-down: select to filter by |
Special Accounts | Restricts the view to events related to privileged access. See Administrative identities in Administer Splunk Enterprise Security. | Drop-down: select to filter by |
Time Range | Select the time range to view. | Drop-down: select to filter by |
Dashboard Panels
Panel | Description |
---|---|
Account Management Over Time | Displays all account management events over time. |
Account Lockouts | Displays all account lockouts, including the number of authentication attempts per account. |
Account Management by Source User | Tracks the total account management activity by source user, and shows the source users with the most account management events. The source user is the user that performed the account management event, rather than the user that was affected by the event. For example, if user "Friday.Adams" creates an account "Martha.Washington", then "Friday.Adams" is the source user. This panel helps identify accounts that should not be managing other accounts and shows spikes in account management events, such as the deletion of a large number of accounts. |
Top Account Management Events | Shows the most frequent management events in the specified time period. |
Default Account Activity dashboard
The Default Account Activity dashboard shows activity on "default accounts", or accounts enabled by default on various systems such as network infrastructure devices, databases, and applications. Default accounts have well-known passwords and are often not disabled properly when a system is deployed.
Many security policies require that default accounts be disabled. In some cases, you may need to monitor or investigate authorized use of a default account. It is important to confirm that the passwords on default accounts are changed before use. Abnormal or deviant user behavior from a default account can indicate a security threat or policy violation. Use this dashboard to ensure that security policies regarding default accounts are properly followed.
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key security indicators.
Filter by | Description | Action |
---|---|---|
Business Unit | A group or department classification for the identity. | Text field. Empty by default. Wildcard strings with an asterisk (*) |
Category | Filter based on the categories to which the host or user belongs. See Format an asset or identity list as a lookup in Splunk Enterprise Security in Administer Splunk Enterprise Security. | Drop-down: select to filter by |
Time Range | Select the time range to view. | Drop-down: select to filter by |
Dashboard panels
Panel | Description |
---|---|
Default Account Usage Over Time by App | Shows default account activity on all systems and applications during the selected time frame, split by application. For example, sshd or ftpd. Application accounts are shown by the number of successful login attempts and when the last attempt was made. Use this chart to identify spikes in default account login activity by application, which may indicate a security incident, as well as to determine whether default account use is common (for example, a daily event) or rare for a certain application. |
Default Accounts in Use | Shows all default user accounts with a high number of login attempts on different hosts, including the last attempt made. Abnormal default user account activity that could indicate a security threat. Also helps ensure that default account behavior matches the security policy. |
Default Local Accounts | Lists all default accounts that are active on enterprise systems, including accounts "at rest". Any available default accounts are listed, regardless of whether the account is actually in use. Only accounts detected on a local system, for example by examining the users list on a host, are included in this list. |
Troubleshooting Access dashboards
This dashboard references data from various data models. Without the applicable data, the dashboards will remain empty. See Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Predictive Analytics dashboard | Endpoint dashboards |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!