Data access data
Data access data (a subset of user activity log data) refers to the logs, records, or metadata generated when users, applications, or systems attempt to view, retrieve, modify, create, or delete data within information systems. This data tracks who accessed what data (or was denied), when, how, and under what permissions or context. Most data points will include a timestamp, user, and action. It can also include the names or IDs of the records or files accessed, the source IP, the user location, the access method, the export format, and API data.
Data access is controlled by data-centric permissions (file system ACLs, database roles, application-level permissions, etc.). It provides an audit trail for security, compliance, and operational insight. It is event driven and comes from the following:
- Database access logs
- File system access records
- Cloud storage access events
- Application data access logs
- Access denied events
- API data access requests
- Data export logs
The Splunk Common Information Model (CIM) add-on contains a Data access data model with fields for monitoring shared data access user activity. It helps you detect a user's unauthorized data access, misuse, exfiltration, and more. It applies to events about users accessing data on servers that are shared by many other users. You might also be interested in data loss prevention data.
Add-ons and apps
Most apps related to a specific software vendor will help facilitate collecting data access data. You can search Splunkbase for apps related to software and systems in use at your organization.