ACTIONABLE ALERTS – User Provisioning Systems

Unauthorized User ID Creation Monitoring in Windows/Unix systems

One of the largest Multi-national bank with global presence that manages user provisioning activity for its customers uses Splunk to monitor unauthorized User ID creations.


  • Manual log Aggregation/Analysis: Tedious process for log aggregation involving multiple teams
  • Lack of single security platform that could quickly detect ID creation events, aggregate, correlate, analyse data from multiple systems and sources
  • Co-ordination issues – Fraud Investigation Workflow process spread across multiple systems/teams; Increased MTTR (Mean time to resolution)
  • Timely Analysis – correlating information across different log types was difficult and sometimes log data was overwritten, limiting investigations.


  • ID creation events correlated/mapped against matching sources to validate the authenticity of the request
  • Any mapping discrepancy triggers a near real time alert to flag the security monitoring team for further investigation
  • Splunk based near real-time ID Creation monitoring dashboards and alerts for Windows/Unix platforms


  • Improved security posture – reduced financial/data losses
  • A single unified platform for near real-time log search, analysis, and reporting
  • Reduced manual efforts/labor costs
  • Quicker Troubleshooting & Response: MTTR reduced from days to minutes; quickly identify & block unauthorized accounts

Monitored Systems/Data Sources: Windows/Unix system logs, User Management System logs (Matching Source), User Provisioning Tool logs (Matching Source)

Users: Information Security Team

Product: Splunk Enterprise