Access Anomalies
The Access Anomalies dashboard displays concurrent authentication attempts from different IP addresses and improbable travel anomalies using internal user credentials and location-relevant data.
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels.
| Filter by | Description |
|---|---|
| Action | A successful or failed authentication attempt. |
| App | The application field in the authentication data model. |
| User | A known or unknown identity. |
| Business Unit | A group or department classification for the identity. |
| Time Range | Select the time range to represent. |
Dashboard Panels
| Panel | Description |
|---|---|
| Geographically Improbable Accesses | Displays users that initiated multiple authentication attempts separated by an improbable time and distance. Authenticating from two geographically distant locations in a time frame lower than typical transportation methods provide can be an indicator of exploited credentials. The drilldown opens the Access search dashboard and searches on the selected user. |
| Concurrent Application Accesses | Displays users that initiated multiple authentication attempts from unique IP addresses within a short time span. This pattern of authentication can be an indicator of shared or stolen credentials. The drilldown redirects the page to the Access search dashboard and searches on the selected user. |
Data sources
The reports in the Access Anomalies dashboard reference data fields in the Authentication data model. Relevant data sources include proxy servers, gateways and firewalls, or other sources that reference a distinct user. See Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.