Review overall user activity
Get an overview of user activity in your environment on the Users Dashboard. You can focus on users from any time and of any risk score, or you can select Add Filter to focus on specific types of users. By default, this dashboard displays users with identified anomalies. Use the filters to view all users.
To access the Users Dashboard:
- Select the Users indicator on the home page, or select Explore > Users from the menu.
- Click the icon.
On the Users Dashboard page, you can review the Key Indicators to understand at-a-glance how the total number of users in your environment compares with the number of users with anomalies and with threats. You can also see how the number of anomalous sessions and number of users with anomalous sessions compares with the total number of sessions.
Use the dashboard panels to see which users are posing the most risk to your environment, and which threats and anomalies are most common.
- The Top Users panel shows the top twenty highest-risk users and accounts in your environment, sorted by risk score. You can view the number of anomalies and threats associated with each user or account. Click a user to view the User Info for them. Click View Details to see the Users Table filtered by top users.
- View the Users by Threat Type to see which threats are most common for users in your organization. Click a threat to see the Users Table with all the users associated with that threat listed, or click View Details to see All Users.
- Use the Users by Anomaly Type to see which anomalous activity is performed most often by users in your environment.
- If you have a watchlist set up for users, and those users have anomalies associated with them, you can see anomalous user activity sorted by Users by Watchlist.
- Use the Anomalous Users Trend to identify how the number of anomalous users in your organization changes over time.
- See the trend of unique users on the Unique Users Trend panel.
- View the Users with Anomalous Sessions and identify possible correlations between anomalous sessions, users and accounts, threats, and anomalies.
- Understand whether various user groups have more anomalies than others by reviewing the Users by Department and Users by AD Group panels.
- Determine location-based correlations between users, accounts, and anomalies with the Users by Country, Users by State, and Users by City panels.
Manage the number of threats and anomalies in your environment
Investigate threats as a security analyst
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 220.127.116.11, 5.0.5, 18.104.22.168, 5.1.0, 22.214.171.124