Scenario: Your organization, like so many others, uses Microsoft products and services as part of its information technology in support of the business. Account access is important to track to ensure users are able to access the systems needed to do their work. User accounts and service accounts are often also monitored for security reasons, so work done for one domain can help the other. You need a few basic searches related to Windows account access that can help both your team and the security team work more efficiently.
How Splunk software can help
You can use Splunk software to monitor authentication to endpoints and troubleshoot account lockouts. You can also generate reports that support compliance reporting efforts around accounts and other Windows related components.
What you need
To succeed in implementing this use case, you need the following dependencies, resources, and information.
The best person to implement this use case is a Windows system administrator who is familiar with Windows Event monitoring and Active Directory. This person might come from your team, a Splunk partner, or Splunk OnDemand Services.
Monitoring Windows account access using Splunk software can last up to a few hours to get the data in and begin to implement the procedures.
The following technologies, data, and integrations are useful in successfully implementing this use case:
- Splunk Enterprise or Splunk Cloud
- Data sources onboarded
- Windows event logs
- Splunk Add-on for Microsoft Windows
- Splunk App for Windows Infrastructure
How to use Splunk software for this use case
You can run many searches with Splunk software to monitor Windows account access. Depending on what information you have available, you might find it useful to identify some or all of the following:
- Windows account activity overview
- Windows account lockouts
- Windows Zombie account lockouts
- Windows service account login attempts
- Baseline of user logon times
- Authentication logs for an endpoint
Other steps you can take
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Active Directory group policies administration
- Identity and Access Management systems administration (e.g., OneLogon, Okta, etc.)
These additional Splunk resources might help you understand and implement this use case:
- Blog: Peeping through Windows (logs)
- Conf talk: Security visibility through Windows endpoint analytics
- Whitepaper: The Essential guide to AIOps
- Tech Brief: Artificial intelligence for IT Operations (AIOps)
- Analysis Report: Market guide to AIOps platforms
How to assess your results
Measuring impact and benefit is critical to assessing the value of IT operations. The following are example metrics that can be useful to monitor when implementing this use case:
- Count of Zombie account lockouts: Number mitigated per unit of time
- A reduction in the time taken for any of the following:
- Mean time to user account lockout discovery and resolution
- Mean time to detect (MTTD) problems
- Mean time to investigate
- Mean time to resolution
- Time to provide attestation to regulatory requirements related to user accounts, such as CIS Control 16