Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

Review current user activity

You can use Splunk UBA to review the activity of the users in your environment. The Users Review page shows you each user one at a time so you can focus on the riskiest users in your organization. The highest-risk users with the most recent risk-incurring activity display first. You can further filter the users by risk score, time, or country for example.

See the Users Review page from the UBA navigation bar. Select Explore > Users to reach the Users Table. Then select the Users Review icon on the left hand menu.

This screen image shows the Users Review page. The elements on this page are described in the following text.

You can accomplish the following tasks on the Users Review page:

  • Review the username and the last updated date and time.
  • See which threats, if any, are associated with the user.
    • Each threat has a risk score.
    • Select a threat to see the User Threats dashboard for the selected user.
  • Review the anomalies associated with the user account.
    • Each anomaly has a risk score.
    • Select an anomaly to see the User Anomalies dashboard for the selected user.
  • Review the devices in the anomalies. Both internal and external devices could be present.
    • Each device has a risk score.
    • Select a device IP address to see the Device Facts dashboard.
  • Review the domains in the anomalies. Select a domain to see the Domain Facts dashboard.
  • Determine whether the user activity is becoming riskier over time with the User Score Trend.
  • Identify clusters of anomalous behavior over time on the User Anomalies Timeline.
  • If you decide to investigate the user more, or to learn more about them, click Details to see the User Facts dashboard for the user.

Add a user to a Watchlist

After you review a user's details, you might want to add them to a Watchlist to better monitor their activities. Complete the following steps:

  1. From the UBA navigation barr select Manage > Watchlists.
  2. Select an availableWatchlist or create a New User Watchlist and add the user.
  3. Select Manage User Watchlists to rename or remove existing user watchlists, or add a new one.
Last modified on 29 November, 2023
View user information   Delete anomalies in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters