Tracking overall user activities using Splunk

mchoudhary

I need to build an overall user activities report as in login activities, file accessed, file exported, application accessed, failed attempts etc., which ever potential tracking can be done using Splunk or a user.

I am not sure how to approach this.
Can someone help me with which index, or Data model I should start with to get this kind of information.
Any help would be really appreciated.

PrewinThomas

@mchoudhary

As others mentioned, specify your requirement.

Do you want to track user activities from other systems(like OS, Network devices, security devices..) or from Splunk itself?
If you use Splunk Enterprise Security (ES), the relevant data models(like Authentication, Change...) are available(if you configfure cim complaint data onboarding). for core Splunk, you need to onboard and normalize data accordingly and create dashboards/reports based on your requirements.

For Splunk audit activity - Latest Splunk comes with Splunk Audit trail App. It provides real-time visibility into user activity and knowledge object changes using data from the _audit index.

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

mchoudhary

@PrewinThomas ,
Yes, I want to track user activities from other systems (like OS, Network devices, security devices..)
and I have authentication data model available.
I want to track user's activities like logins, files accessed/exported, application/server accessed etc.

I am confused if I should query wineventsecurity logs or authentication datamodel. or if there is any particular index in general which tracks these kinds of events in splunk.

Thank you replying back!

gcusello

Hiv @mchoudhary ,

your question is too vague:

which kind of logs are you speaking for (windows, Linux, Splunk, etc...), what is the technology you are using?

have you already ingested these logs in Splunk or must you ingest them?

Ciao.

Giuseppe

richgalloway

It's not clear if you want to use Splunk to track user activity on other systems or if you want to track what users do in Spunk itself.

The former will depend on what events are sent from the systems of interest to Splunk. These probably will include Windows event logs and/or Linux audit logs.

The latter can be done by searching _audit and _internal (especially the splunkd_access and splunkd_ui_access sources).

---
If this reply helps you, Karma would be appreciated.

mchoudhary

@richgalloway ,

I am trying to build a spl query/report for general user tracking across splunk and not what users do in Spunk itself. Activities like login tracking, reports they accessed, application accessed, files they exported etc, or any potential activities that can be tracked for a user in splunk.

richgalloway

Splunk can only track what is reported to it. That means all systems must send logins, report and application accesses, file exports, etc., to Splunk. Then you can use that data to build reports and alerts.

Specifics will depend on what platforms and application you have as well as company policies.

---
If this reply helps you, Karma would be appreciated.

Tracking overall user activities using Splunk

authentication

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

Tracking overall user activities using Splunk

authentication

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console