Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Review threats and anomalies in your environment

You can use the Threats Dashboard and the Anomalies Dashboard for an overview of the threats and anomalies that Splunk UBA discovers in your environment.

There are limits to the to the total number of threats and anomalies that Splunk UBA can process. Perform regular maintenance of your Splunk UBA deployment by managing the number of threats and anomalies in your system. See Manage the number of threats and anomalies in your environment in Administer Splunk User Behavior Analytics.

Threats Dashboard

Use the Threats Dashboard for an overview of current threats in your environment. You can focus on threats from any time and of any score, or you can select Add Filter to get a more focused view of threats.

This screen image shows the Threats Dashboard page. The elements on this page are described in the surrounding text.

To access the Threats Dashboard:

  1. Select the Threats indicator on the home page, or select Explore > Threats from the menu.
  2. Select the Threats Dashboard the threats dashboard icon icon.

You can take the following actions on the Threats Dashboard page:

  • See the most recent threats in Latest Threats.
  • Learn more about the threats in your environment by reviewing the Threats by Type and Threats by Anomaly Type panels.
  • Determine whether users or devices on a watchlist are involved in any threats with the Threats by Watchlist panel.
  • Review the types, volume, and risk scores of threats over time with the Threats Timeline.
  • Use the Threats Trend panel to determine if threats in your organization are increasing or decreasing.
  • Review which anomaly types are generating the most threats in the Threats by Anomalies panel.
  • Identify high-risk users in Threats by User, or high-risk departments in Threats by Department.
  • If you set up a user watchlist, review the Threats by User Watchlist to see if those watchlisted users are involved in threats.
  • Review the threats involved with different devices with the Threats by Device and Threats by Device Type panels.
  • Use the Threats by App panel to see if any apps are involved in more threats than others.
  • Use the Threats by Domain panel to see if any domains are more involved in threats than others.

Select a value in a panel to see the Threat Table filtered accordingly. For example, select the device type of USB from the Threats by Device Type panel to see the threats affecting USB devices.

Anomalies Dashboard

Get an overview of the anomalous activity in your environment with the Anomalies Dashboard. You can focus on anomalies from any time and of any score, or you can select Add Filter to get a more focused view of the anomalies.

This screen image shows the Anomalies Dashboard page. The elements on this page are described in the surrounding text.

To access the Anomalies Dashboard:

  1. Select the Anomalies indicator on the home page, or select Explore > Anomalies from the menu.
  2. Select the Anomalies Dashboard the threats dashboard icon icon.

On the Anomalies Dashboard page, you can view anomalies in the same categories as threats, though instead of viewing Threats by Anomaly Type, view Anomalies by Threat Type. Select any anomaly to drill down to the Anomaly Details view.

Generate a CSV report based on the dashboard using the Generate Report option.

Last modified on 06 December, 2023
PREVIOUS
Search for entities, anomalies, and threats in Splunk UBA
  NEXT
Manage the number of threats and anomalies in your environment

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters