Review current user activity

You can use Splunk UBA to review the activity of the users in your environment. The Users Review page shows you each user one at a time so you can focus on the riskiest users in your organization. The highest-risk users with the most recent risk-incurring activity display first. You can further filter the users by risk score, time, or country for example.

See the Users Review page from the UBA navigation bar. Select Explore > Users to reach the Users Table. Then select the Users Review icon on the left hand menu.

You can accomplish the following tasks on the Users Review page:

• Review the username and the last updated date and time.
• See which threats, if any, are associated with the user.
  • Each threat has a risk score.
  • Select a threat to see the User Threats dashboard for the selected user.
• Review the anomalies associated with the user account.
  • Each anomaly has a risk score.
  • Select an anomaly to see the User Anomalies dashboard for the selected user.
• Review the devices in the anomalies. Both internal and external devices could be present.
  • Each device has a risk score.
  • Select a device IP address to see the Device Facts dashboard.
• Review the domains in the anomalies. Select a domain to see the Domain Facts dashboard.
• Determine whether the user activity is becoming riskier over time with the User Score Trend.
• Identify clusters of anomalous behavior over time on the User Anomalies Timeline.
• If you decide to investigate the user more, or to learn more about them, click Details to see the User Facts dashboard for the user.

Add a user to a Watchlist

After you review a user's details, you might want to add them to a Watchlist to better monitor their activities. Complete the following steps:

1. From the UBA navigation barr select Manage > Watchlists.
2. Select an availableWatchlist or create a New User Watchlist and add the user.
3. Select Manage User Watchlists to rename or remove existing user watchlists, or add a new one.