Entity Monitoring

In the Reports Portal, select Repository > Standard Content > Foundation > Entity Monitoring.

To prevent brute force attacks or denial-of-service attacks, you could track login activities in your environment. A malicious user might attempt to guess another user’s password by repeatedly attempting to log in to the same account. You can track this behavior by observing failed login attempts. You might also watch for users who attempt to log in to multiple devices and hosts. Malicious users might also create, modify, and delete accounts to gain unauthorized access or let them execute harmful code.

To monitor account activity, use the following dashboards and reports:

Dashboards Reports

Account Management

Login Activity Overview

User Profile Overview

All Logins by Hostname

Failed Logins Summary

Login Activity by User

Account Management

Provides charts and a table to view actions associated with account management.

Charts:

  • Source User, Modification, Outcome, and Account

  • Account Management Actions

  • Account Modification by User

  • Events Table

Special Views

  • Accounts by Action Type

  • Management Account Distribution

  • Windows Account Privilege Change

Filters

  • Device Vendor and Product

  • Outcome

  • Action Type

Login Activity Overview

Provides an overview of login activity. The table shows the details of the event, and if you click Global Event Id, it will take you to the Event Inspector. You can also click Open Search and it will take you to the search page and loads the categoryBehavior = /Authentication/Verify query with the same time that the dashboard was run.

Charts:

  • By Destination User

  • By Destination Host

  • By Source Address

  • Events Table

Special Filters:

  • Login Activity Distribution

  • Windows Logon Type

Filters:

  • Login Outcomes

  • Device Vendor and Product

User Profile

Displays information about a specific user's actions in your environment. This is a drill-down dashboard that can be opened with a specific user from another dashboard, table, bar, chart, or entered in the dashboard search bar.  The dashboard requires a valid user to show information.

Charts:

  • Log In Connections

  • Account Management Actions

  • Traffic by Volume

  • Requested URLs

  • Processes Used

  • Application Protocols

  • Events Table

Filters:

  • Device Vendor and Product

  • Category Outcome

  • Category Significance

All Logins by Hostname

Reports the number of login attempts over time, including the outcome, for the specified hosts.

You must specify one IP address.

Failed Logins Summary

Reports the number of failed logins over time. The table includes the user, source address, target host, and number of failed attempts.

Login Activity by User

Reports the number of times that the specified users have attempted to log in to a host. The table indicates whether the attempt is successful.

You must specify one user by Destination UserName.