Use correlation searches to monitor accounts
- Ram uses the following correlation searches available by default in Splunk Enterprise Security to monitor account activity:
- Account Deleted: Detects user and computer account deletion.
- Completely Inactive Account: Discovers accounts that are no longer used. It's a good idea to disable unused accounts because they are often used by attackers to gain unauthorized access.
- Inactive Account Activity Detected: Discovers previously inactive accounts that are now being used. Reactivated accounts might be due to an attacker that successfully gained access to an account that was no longer being used.
- New User Account Created on Multiple Hosts: Alerts when a previously unseen account is created on multiple hosts.
- Short Lived Windows Accounts: This search detects accounts that were created and deleted in a short time period.
- Ram uses the following correlation searches that are available by default in Splunk Enterprise Security to identify potential risk events through compromised user credentials.
- Geographically Improbable Access Detected: Alerts on access attempts that are improbable based on time and geography.
- Concurrent Login Attempts Detected: Alerts on concurrent access attempts to an app from different hosts. These access attempts are good indicators of shared passwords and potential misuse.
- Ram uses these correlation searches to see if a password is being used in a suspicious manner, even if the authentication is successful. However, these correlation searches generate numerous notable events.
- Ram can also create his own correlation searches to identify if there was an increase in the number of host systems that a user logged into or whether there was a new interactive login from a service account.
Classify accounts based on privileged access
Increase risk factors to identify unauthorized usage
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0