Background:
Unauthorized User ID Creation Monitoring in Windows/Unix systems
One of the largest Multinational banks with a global presence wants to monitor unauthorized User ID creations in case of fraudulent activities. Splunk's alert management capabilities provide the bank with an effective method of tracking and identifying these types of activities.
Challenges:
- Manual log Aggregation/Analysis: Tedious process for log aggregation involving multiple teams
- Lack of a single security platform that could quickly detect ID creation events, aggregate, correlate, analyze data from multiple systems and sources
- Co-ordination issues – Fraud Investigation Workflow process spread across multiple systems/teams; Increased MTTR (Mean time to resolution)
- Timely Analysis – correlating information across different log types was difficult and sometimes log data was overwritten, limiting investigations.
Solutions:
- ID creation events correlated/mapped against matching sources to validate the authenticity of the request
- Any mapping discrepancy triggers a near real-time alert to flag the security monitoring team for further investigation
- Splunk-based near real-time ID Creation monitoring dashboards and alerts for Windows/Unix platforms
Benefits:
- Improved security posture – reduced financial/data losses
- A single unified platform for near real-time log search, analysis, and reporting
- Reduced manual efforts/labor costs
- Quicker Troubleshooting & Response: MTTR reduced from days to minutes; quickly identify & block unauthorized accounts
Monitored Systems/Data Sources: Windows/Unix system logs, User Management System logs (Matching Source), User Provisioning Tool logs (Matching Source)
Users: Information Security Team
Product: Splunk Enterprise
