Skip to main content
Splunk Lantern

Monitoring Windows account access

Scenario: Your organization, like so many others, uses Microsoft products and services as part of its information technology in support of the business. Account access is important to track to ensure users are able to access the systems needed to do their work. User accounts and service accounts are often also monitored for security reasons, so work done for one domain can help the other. You need a few basic searches related to Windows account access that can help both your team and the security team work more efficiently. You can use Splunk software to monitor authentication to endpoints and troubleshoot account lockouts. You can also generate reports that support compliance reporting efforts around accounts and other Windows related components. 

Prerequisites

To succeed in implementing this use case, you need the following dependencies, resources, and information.

How to use Splunk software for this use case

You can run many searches with Splunk software to monitor Windows account access. Depending on what information you have available, you might find it useful to identify some or all of the following: 

Results

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Active Directory group policies administration
  • Identity and Access Management systems administration (e.g., OneLogon, Okta, etc.)

Measuring impact and benefit is critical to assessing the value of IT operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • Count of Zombie account lockouts: Number mitigated per unit of time
  • A reduction in the time taken for any of the following:
    • Mean time to user account lockout discovery and resolution
    • Mean time to detect (MTTD) problems
    • Mean time to investigate
    • Mean time to resolution
    • Time to provide attestation to regulatory requirements related to user accounts, such as CIS Control 16 

Additional resources 

This use case is also included in the IT Essentials Learn app, which provides more information about how to implement the use case successfully in your IT maturity journey. In addition, these Splunk resources might help you understand and implement this use case:

  • Was this article helpful?