Classify accounts based on privileged access
Ram first collects and extracts all assets and identity data to add it to Enterprise Security. Next, Ram formats the collected asset or identity data into a lookup file so that it can be processed by Splunk Enterprise Security. Finally, Ram uses the Assets and Identities framework in Splunk Enterprise Security to specify categories for all the accounts in his SOC, and label the privileged accounts.
For more information on how to format the asset and identity list, see Format an asset or identity list as a lookup
Specifying categories for all the accounts in his SOC allows Ram to use the default correlation searches in Splunk Enterprise Security to monitor those accounts more closely and get visibility into interesting account activity or unauthorized usage.
Use Dashboards to track user behavior
Use correlation searches to monitor accounts
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0