Your organization uses Microsoft products and services and users in your organization access these services via user and service accounts. While your organization needs to be able to investigate user login issues and account lockouts for IT purposes, to ensure users are able to access the systems needed to do their work, you also need to be able to monitor account usage for security purposes.
You can use the searches in this use case to help you identify login attempts that may indicate suspicious activity, and generate records of user group changes that you can examine as part of your threat hunting processes.
How to use Splunk software for this use case
You can run many searches with Splunk software to monitor Windows account access. Depending on what information you have available, you might find it useful to identify some or all of the following:
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Active Directory group policies administration
- Identity and Access Management systems administration (e.g., OneLogon, Okta, etc.)
In addition, these Splunk resources might help you understand and implement this use case:
- Use case: Baseline of user logon times
- Use case: Authentication logs for an endpoint
- Blog: Peeping through Windows (logs)
- Conf Talk: Security visibility through Windows endpoint analytics
- Tech Talk: My start will go on: Splunk's TA for Windows Part 1
- Tech Talk: My start will go on: Splunk's TA for Windows Part 2