correct answer is D authentication. Source: https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Dashboardrequirements - check user activity dashboard, remote access panel

The correct answer is D

This is the search powering this dashboard, so it's a clear answer D "Authentication" : | tstats `summariesonly` count from datamodel=Authentication.Authentication where Authentication.user=$ds_input_tokens:result.user$ $ds_input_tokens:result.remote_user_bunit$ by Authentication.src,Authentication.user | `drop_dm_object_name("Authentication")`| `get_identity4events(user)` | rename user_watchlist as watchlist | search $ds_input_tokens:result.watchlist_raw$ | `get_asset(src)` | iplocation src | eval session_city=if(isnull(src_city), City,src_city) | eval session_country=if(isnull(src_country), Country,src_country) | where isnotnull(session_city) AND isnotnull(user_work_city) AND (lower(user_work_city)!=lower(session_city) OR lower(user_work_country)!=lower(session_country)) | fields user, src, session_city, session_country, user_work_city, user_work_country | sort 100 -count

The Correct answer is D

D is the correct answer

The correct answer is D. Verified in the Splunk ES app.

D is correct

User Activity dashboard uses multiple DM, but remote access panel is using Authentication datamodel so D is correct option.