This is a simple way to put someone on a watchlist, it is not only external threats, but internal ones as well, and this is useful to see if anyone is exfiltrating sensitive files or trying to connect to un-authorised hosts.
Try to look, logs without Splunk, this will take you ages, life will have evolved by then.
In one click you get a digital footprint of the person on the watch list, you get a quick check of login success’s and failure’s, a list of the commands they have been running, and the hosts they have been trying to login into.
Create a lookup, authorised_users.csv, add to lookup folder, and then create a simple dashboard, which uses drop down input from the csv file and create the widgets as required.
Create a token base on the user, and run search examples such as below.
| from datamodel: “Authentication”.”Failed_Authentication” | search user=$user_token$ | stats count