User drilldown tab

The User drilldown tab provides insights into all user activity registered within the specified timespan. The workbook isn't limited just to Sysmon logs generated by the selected user but also takes into account Windows Security Log Events to highlight suspicious user activity.

The User drilldown tab displays the following tables:

• Punchcard analysis of user activity by ATT&CK technique within the selected timespan
• Heatmap grid of user ATT&CK activity by host
• Authentication failures over time
• Cluster view of authentication failures by user and host
• Cluster view of authentication successes by user and host
• Drilldown tables covering the following Windows Security Log Events:
  • EventID 4720 SA Accounts are excluded
  • EventID 4722 SA and Computer Accounts are excluded
  • EventID 4726 - SA and Computer Accounts are excluded
• Drilldown tables covering the following user activity:
  • Accounts created or changed and added to Group
  • Accounts changed and removed from group(s)
  • Accounts locked out
  • Accounts unlocked
  • Accounts disabled
  • Accounts renamed
  • Accounts password changed by user
  • Account password change by administrator
• Drilldown tables covering the following Sysmon events generated by the selected user:
  • Process create events
  • Process access events
  • File create events
  • Image loaded events
  • Network connection events
  • Create remote thread events
  • Registry access events
  • Pipe events

A higher definition picture of the User drilldown tab can be found here.