Splunk® Enterprise Security

Detect Unknown Threats with Behavioral Analytics Service

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Drill down to view entity details in behavioral analytics service

View the details for an entity on the entity details page, such as its organizational information, history of anomaly activity associated with the entity, or other related entities.

Access the entity details page from the Entities page or the Entity Analytics dashboard:

  • On the Entities page, click on an entity in the Treemap, and then click View Details in the dialog window.
  • On the Entities page, click on an entity in the entity list.
  • In the Entity Analytics dashboard, click on the name of any entity.

Gain insight into the entity's organization and corresponding anomalies

Review the Asset & Identity Overview data for this entity, such as the organizational unit, physical location, or privilege level. The data in this pane is provided by the assets and identity data ingested from Splunk Enterprise Security (ES).

If you are viewing entity details for a user, you can view the devices associated with that user in the Session Data panel. If you are viewing entity details for a device, you can view associated users in the panel. Behavioral analytics service uses enriched events to provide additional context about the relationships among entities. The time stamp shows the latest occurrence of the associated user or device. Click on a user or device in the panel to open a new tab and view the entity details for the selected entity.

If there are anomalies associated with the entity, you can review them in the Top Anomalies panel. The graphic in this panel shows the types of anomalies associated with this entity by volume. The panel is collapsed if there are no anomalies associated with the entity.

Click Add to Notable to create a notable that can be investigated in Splunk Mission Control. See Create a notable to investigate in Splunk Mission Control.

Investigate the entity over a specific time range or view only specific event types

By default, the time window on the entity details page matches the time window you use on the Entities page or Entity Analytics dashboard. For example, if the compute window in the Entity Analytics dashboard is set to 24 Hours, and you click on an entity in the dashboard to open the entity details page, the time range on the entity details page shows Last 24 hours. You can click Last 24 hours to change the time range to Last 7 days to investigate events against the entity over a 7-day window.

The visual timeline in the Risk Score panel and event timeline in the Activity panel show all risk scoring events. Click on All events to filter the timeline and list of events so that only detection events, notable events, or score change events are shown.

If new detection events, notable events, or score change events become associated with the entity while you are viewing the page, an update notice appears near the top of the page. Click the update notice to reload the page and view new events. If you have filtered the page to show only detection events, for example, the update notice appears only if new detection events are available.

See how the entity's risk score changed over time

The timeline in the Risk Score panel gives a visual representation of how the entity's score has changed over time. The individual events are listed in the Activity panel. By default, the most recent event is highlighted on the timeline and appears at the top of the list of events.

  • Hover over the activity circles on the timeline to view date and time information and anomaly count. Click any circle so that the event appears at the top of the data timeline in the Activity panel.
  • Zoom in on any portion of the timeline to view anomalies and scoring updates for just the selected portion. The Activity panel is also updated to show only events from the selected time window.
  • Click Reset Zoom to restore the visual timeline to the default view.

View the activity that contributes to the entity's risk score

The Activity panel shows a timeline of the activity for this entity so you can gain a more complete understanding of how the risk score was computed against this entity. The events in the timeline correspond with the graphical timeline in the Risk Score panel. The most recent events appear at the top of the timeline.

The following types of events appear on the timeline. See Investigate the entity over a specific time range or view only specific event types to learn how to filter what appears in the timeline:

  • Detection Events, which are anomalies that change the entity's score.
  • Notable Events, which are events from Splunk ES that change the anomaly's score.
  • Score Change events, which mark the times when the entity risk score was changed.

Expand any event in the data timeline to view additional information about the event, such as the event type, risk score, MITRE ATT&CK framework mapping, and command details. Click Show More if the panel contains a large amount of information.

If you want more space to view the list of events, click the down arrow next to Risk Score to collapse the graphical timeline of events.

Search for contributing events and related entities in Splunk Mission Control

Click the more (The more icon.) icon to view additional options for detection events:

  • Select Contributing Events to view the search and corresponding raw events for the detection event. The search is performed against the ueba_cloud_enriched_events index using the unique ID of the event. See Search for enriched events from Splunk Mission Control for information about how you can perform your own searches.
  • Select Related Entities to view the search and other entities that produced the same detection event. The current entity is excluded from the search results.

Create a notable in Splunk Mission Control

When investigating an entity, if you determine that there is a real threat, click Create Notable to create a notable in Splunk Mission Control. See Create a notable to investigate in Splunk Mission Control.

Last modified on 05 January, 2023
Investigate hidden threats in behavioral analytics service   Create a notable to investigate in Splunk Mission Control

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters