I know IDR has a great way to automatically list out all detected shared accounts as shared below:
Would it be possible to get some advice on this. Either of these points actually works fine with me as long there’s a way.
Is there a way to get this kind of representation in Dashboard Cards?
Just want to atleast generate a scheduled report detailing such info say everyday or once a week or something.
If possible, is there a way to create a custom alert if there’s this kind behavior detected?
I actually tried creating one but am struggling to create my query since i can’t just have something like source_account != target_account.
Having the above screenshot as a reference to validate my query result I notice there’s a big difference. One of those is that the logline sometimes doesn’t have the source_account or source_user fields.
Or is this something that cannot be done directly because it is part of the UBA algorithm?
Also I noticed that the readily available data cannot be sorted based on the latest event so one need to check per rows and see which is the latest.
Hi @nowel,
you can’t have multiple accounts in Dashboard Cards right now, because the data is completely separate.
We are working on a feature though to make all investigations of all your accounts visible in the investigation management. I would recommend opening a feature request with your use-case.
To your second question: If you want to compare two fields, you need to use two equal signs:
Thank you very much for your reply and advice on the above especially on the query.
Going back to the Shared Account data as a Card Representation, I actually seem to remember that this was available before the Dashboard Tab was upgraded. I was just surprised when I checked recently and it was missing and I thought I remembered incorrectly.
Now it seems I was right on this as skimming through your documentation, it is stated there, so I guess it really was removed? Perhaps, it would be considered faster if I requested it to be loaded again in the system…
