User activity dashboard
The User Activity dashboard displays panels representing common risk-generating user activities such as suspicious website activity. For more information about risk scoring, see How Splunk Enterprise Security assigns risk scores.
Dashboard filters
You can use the available dashboard filters to refine the results displayed on the dashboard panels. The filters do not apply to key security indicators.
| Filter by | Description |
|---|---|
| User | A known or unknown identity |
| Business Unit | A group or department classification for the identity. |
| Watchlisted Users | Designates a monitored identity. |
| Time Range | Select the time range to represent. |
Dashboard Panels
| Panel | Description |
|---|---|
| Key Indicators | Displays the metrics relevant to the dashboard sources over the past 48 hours. Key indicators represent summary information and appear at the top of the dashboard. See Key indicators in Splunk Enterprise Security. |
| Users By Risk Scores | Displays the top 100 highest risk users. As an insider threat can represent subtle and indirect changes in behavior, this panels assists an analyst in focusing on the riskiest users in the organization. The drilldown opens the Identity Investigator dashboard and searches on the selected user. |
| Non-corporate Web Uploads | Displays high volume upload and download activity by user. An irregular pattern of upload or download activity can be an indicator of data exfiltration. The drilldown opens the Identity Investigator dashboard and searches on the selected user. |
| Non-corporate Email Activity | Displays the top 100 users performing high volume email activity to non-corporate domains. A pattern of large or high volume email activity can be an indicator of data exfiltration. The drilldown opens the Identity Investigator dashboard and searches on the selected user. |
| Watchlisted Site Activity | Displays web access by user. Accessing specific categories of web sites while using workplace resources and assets can be an indicator of insider threat activity. The drilldown opens the Identity Investigator dashboard and searches on the selected user. |
| Remote Access | Displays remote access authentication by user. A user performing risky web or email activity while using remote access services can be an indicator of data exfiltration, or exploited credentials. The drilldown opens the Identity Investigator dashboard and searches on the selected user. |
| Ticket Activity | Displays ticketing activity by user. A user performing risky web or email activity while filing tickets to provide additional services or internal access can be an indicator of data exfiltration, or exploited credentials. The drilldown opens the Identity Investigator dashboard and searches on the selected user. |
Data sources
The reports in the User Activity dashboard reference data fields in multiple sources. Relevant data sources include proxy servers, gateways and firewalls, or other sources that reference a distinct user. In order for the dashboards to populate, new lookup content and fields in the identities list must be added. For a list of additional data sources, see Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.