Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Review overall user activity

Get an overview of user activity in your environment on the Users Dashboard. You can focus on users from any time and of any risk score, or you can select Add Filter to focus on specific types of users. By default, this dashboard displays users with identified anomalies. Use the filters to view all users.

This screen image shows the Users Dashboard page. The elements on this page are described in the surrounding text.

To access the Users Dashboard:

  1. Select the Users indicator on the home page, or select Explore > Users from the menu.
  2. Click the the threats dashboard icon icon.

On the Users Dashboard page, you can review the Key Indicators to understand at-a-glance how the total number of users in your environment compares with the number of users with anomalies and with threats. You can also see how the number of anomalous sessions and number of users with anomalous sessions compares with the total number of sessions.

Use the dashboard panels to see which users are posing the most risk to your environment, and which threats and anomalies are most common.

  • The Top Users panel shows the top twenty highest-risk users and accounts in your environment, sorted by risk score. You can view the number of anomalies and threats associated with each user or account. Click a user to view the User Info for them. Click View Details to see the Users Table filtered by top users.
  • View the Users by Threat Type to see which threats are most common for users in your organization. Click a threat to see the Users Table with all the users associated with that threat listed, or click View Details to see All Users.
  • Use the Users by Anomaly Type to see which anomalous activity is performed most often by users in your environment.
  • If you have a watchlist set up for users, and those users have anomalies associated with them, you can see anomalous user activity sorted by Users by Watchlist.
  • Use the Anomalous Users Trend to identify how the number of anomalous users in your organization changes over time.
  • See the trend of unique users on the Unique Users Trend panel.
  • View the Users with Anomalous Sessions and identify possible correlations between anomalous sessions, users and accounts, threats, and anomalies.
  • Understand whether various user groups have more anomalies than others by reviewing the Users by Department and Users by AD Group panels.
  • Determine location-based correlations between users, accounts, and anomalies with the Users by Country, Users by State, and Users by City panels.
Last modified on 27 November, 2023
Manage the number of threats and anomalies in your environment   Peer groups in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters