Review current user activity
You can use Splunk UBA to review the activity of the users in your environment. The Users Review page shows you each user one at a time so you can focus on the riskiest users in your organization. The highest-risk users with the most recent risk-incurring activity display first. You can further filter the users by risk score, time, or country for example.
See the Users Review page from the UBA navigation bar. Select Explore > Users to reach the Users Table. Then select the Users Review icon on the left hand menu.
You can accomplish the following tasks on the Users Review page:
- Review the username and the last updated date and time.
- See which threats, if any, are associated with the user.
- Each threat has a risk score.
- Select a threat to see the User Threats dashboard for the selected user.
- Review the anomalies associated with the user account.
- Each anomaly has a risk score.
- Select an anomaly to see the User Anomalies dashboard for the selected user.
- Review the devices in the anomalies. Both internal and external devices could be present.
- Each device has a risk score.
- Select a device IP address to see the Device Facts dashboard.
- Review the domains in the anomalies. Select a domain to see the Domain Facts dashboard.
- Determine whether the user activity is becoming riskier over time with the User Score Trend.
- Identify clusters of anomalous behavior over time on the User Anomalies Timeline.
- If you decide to investigate the user more, or to learn more about them, click Details to see the User Facts dashboard for the user.
Add a user to a Watchlist
After you review a user's details, you might want to add them to a Watchlist to better monitor their activities. Complete the following steps:
- From the UBA navigation barr select Manage > Watchlists.
- Select an availableWatchlist or create a New User Watchlist and add the user.
- Select Manage User Watchlists to rename or remove existing user watchlists, or add a new one.
View user information | Delete anomalies in Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!