account_monitoring.yml

category:
  - Best Practices
channel: ESCU
creation_date: '2017-08-05'
description: A common attack technique is to leverage user accounts to gain unauthorized
  access to the target's network. This Analytic Story minimizes opportunities for
  attack by helping you actively manage creation/use/dormancy/deletion--the lifecycle
  of system and application accounts.
detections:
  - detection_id: 475b9e27-17e4-46e2-b7e2-648221be3b89
    name: Identify New User Accounts
    type: splunk
  - detection_id: b25f6f62-0782-43c1-b403-083231ffd97d
    name: Short Lived Windows Accounts
    type: splunk
  - detection_id: c026e3dd-7e18-4abb-8f41-929e836efe74
    name: Detect Excessive Account Lockouts From Endpoint
    type: splunk
  - detection_id: 95a7f9a5-6096-437e-a19e-86f42ac609bd
    name: Detect Excessive User Account Lockouts
    type: splunk
id: 8892a655-6205-55f7-abba-06460e38c8ae
maintainers:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
modification_date: '2017-09-06'
name: Account Monitoring and Controls
narrative: Monitoring user accounts within your enterprise is a critical analytic
  function that helps ensure that credential and access policies/procedures are properly
  implemented and are being enforced. Proactive ad-hoc hunting, as well as routine
  monitoring, can ensure user or system accounts are not being abused by unauthorized
  individuals or processes. In the event of a network event or breach, user-authentication
  logs are a key resource in determining if or how an account might have been compromised
  or co-opted, leading to suspicious or malicious activity.
original_authors:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
references:
  - https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf
spec_version: 2
usecase: Security Monitoring
version: '1.0'