Machine Learning Toolkit Searches in Splunk Enterprise Security
Extreme Search (XS) context generating searches with names ending in "Context Gen" are revised to use Machine Learning Toolkit (MLTK) and are renamed to end with "Model Gen" instead. Other saved searches, correlation searches, key indicator searches, and rules that used XS keep their names but are also revised to use MLTK. If you have any locally modified XS searches, you need to port them over to use MLTK.
Since XS correlation searches no longer use XS, the corresponding Model Gen searches must first be run to generate a model. As mentioned in the overview, MLTK does not merge daily data into the model, but replaces it with every run. If you want to experiment with running and tuning a model without overwriting it, see Machine Learning Toolkit Troubleshooting in Splunk Enterprise Security.
Searches migrating from XS to MLTK
The list of default searches, correlation searches, key indicators, and rules that are revised from XS to MLTK follows.
DA-ESS-AccessProtection
XS: Access - Total Access Attempts
|
MLTK: Access - Total Access Attempts
|
DA-ESS-EndpointProtection
XS: Change - Abnormally High Number of Endpoint Changes By User - Rule
|
MLTK: Change - Abnormally High Number of Endpoint Changes By User - Rule
|
XS: Endpoint - Host Sending Excessive Email - Rule
|
MLTK: Endpoint - Host Sending Excessive Email - Rule
|
XS: Malware - Total Infection Count
|
MLTK: Malware - Total Infection Count
|
DA-ESS-IdentityManagement
XS: Identity - High Volume Email Activity with Non-corporate Domains - Rule
|
MLTK: Identity - High Volume Email Activity with Non-corporate Domains - Rule
|
XS: Identity - Web Uploads to Non-corporate Domains - Rule
|
MLTK: Identity - Web Uploads to Non-corporate Domains - Rule
|
DA-ESS-NetworkProtection
XS: Network - Unusual Volume of Network Activity - Rule
|
MLTK: Network - Unusual Volume of Network Activity - Rule
|
XS: Web - Abnormally High Number of HTTP Method Events By Src - Rule
|
MLTK: Web - Abnormally High Number of HTTP Method Events By Src - Rule
|
SA-AccessProtection
XS: Access - Authentication Failures By Source - Context Gen
|
MLTK: Access - Authentication Failures By Source - Model Gen
|
XS: Access - Authentication Failures By Source Per Day - Context Gen
|
MLTK: Access - Authentication Failures By Source Per Day - Model Gen
|
XS: Access - Authentication Volume Per Day - Context Gen
|
MLTK: Access - Authentication Volume Per Day - Model Gen
|
XS: Access - Brute Force Access Behavior Detected - Rule
|
MLTK: Access - Brute Force Access Behavior Detected - Rule
|
XS: Access - Brute Force Access Behavior Detected Over 1d - Rule
|
MLTK: Access - Brute Force Access Behavior Detected Over 1d - Rule
|
SA-EndpointProtection
XS: Change - Total Change Count By User By Change Type Per Day - Context Gen
|
MLTK: Change - Total Change Count By User By Change Type Per Day - Model Gen
|
XS: Endpoint - Emails By Destination Count - Context Gen
|
MLTK: Endpoint - Emails By Destination Count - Model Gen
|
XS: Endpoint - Emails By Source - Context Gen
|
MLTK: Endpoint - Emails By Source - Model Gen
|
XS: Endpoint - Malware Daily Count - Context Gen
|
MLTK: Endpoint - Malware Daily Count - Model Gen
|
SA-IdentityManagement
XS: Identity - Email Activity to Non-corporate Domains by Users Per 1d - Context Gen
|
MLTK: Identity - Email Activity to Non-corporate Domains by Users Per 1d - Model Gen
|
XS: Identity - Web Uploads to Non-corporate Domains by Users Per 1d - Context Gen
|
MLTK: Identity - Web Uploads to Non-corporate Domains by Users Per 1d - Model Gen
|
SA-NetworkProtection
XS: Network - Event Count By Signature Per Hour - Context Gen
|
MLTK: Network - Event Count By Signature Per Hour - Model Gen
|
XS: Network - Port Activity By Destination Port - Context Gen
|
MLTK: Network - Port Activity By Destination Port - Model Gen
|
XS: Network - Substantial Increase In Intrusion Events - Rule
|
MLTK: Network - Substantial Increase In Intrusion Events - Rule
|
XS: Network - Substantial Increase in Port Activity - Rule
|
MLTK: Network - Substantial Increase in Port Activity - Rule
|
XS: Network - Traffic Source Count Per 30m - Context Gen
|
MLTK: Network - Traffic Source Count Per 30m - Model Gen
|
XS: Network - Traffic Volume Per 30m - Context Gen
|
MLTK: Network - Traffic Volume Per 30m - Model Gen
|
XS: Web - Web Event Count By Src By HTTP Method Per 1d - Context Gen
|
MLTK: Web - Web Event Count By Src By HTTP Method Per 1d - Model Gen
|
SA-ThreatIntelligence
XS: Risk - Aggregated Other Risk
|
MLTK: Risk - Aggregated Other Risk
|
XS: Risk - Aggregated Risk
|
MLTK: Risk - Aggregated Risk
|
XS: Risk - Aggregated System Risk
|
MLTK: Risk - Aggregated System Risk
|
XS: Risk - Aggregated User Risk
|
MLTK: Risk - Aggregated User Risk
|
XS: Risk - Median Object Risk Per Day - Context Gen
|
MLTK: Risk - Median Object Risk Per Day - Model Gen
|
XS: Risk - Median Object Risk Per Day by Object Type - Context Gen N/A. The original Risk - Median Object Risk Per Day - Context Gen became two: Risk - Median Object Risk Per Day - Model Gen and Risk - Median Object Risk Per Day by Object Type - Model Gen. |
MLTK: Risk - Median Object Risk Per Day by Object Type - Model Gen
|
XS: Risk - Median Risk Score
|
MLTK: Risk - Median Risk Score
|
XS: Risk - Median Risk Score By Other
|
MLTK: Risk - Median Risk Score By Other
|
XS: Risk - Median Risk Score By System
|
MLTK: Risk - Median Risk Score By System
|
XS: Risk - Median Risk Score By User
|
MLTK: Risk - Median Risk Score By User
|
XS: Risk - Total Risk By Risk Object Type Per Day - Context Gen
|
MLTK: Risk - Total Risk By Risk Object Type Per Day - Model Gen
|
XS: Risk - Total Risk Per Day - Context Gen N/A. The original Risk - Total Risk By Risk Object Type Per Day - Context Gen became two: Risk - Total Risk By Risk Object Type Per Day - Model Gen and Risk - Total Risk Per Day - Model Gen. |
MLTK: Risk - Total Risk Per Day - Model Gen
|
SA-Utils
XS: ESS - Percentile - Context Gen
|
Audit searches using an MLTK Model
There is a savedsearch to help audit your model generating searches and the corresponding rules that apply them.
For example, the following savedsearch finds the search called "Network - Traffic Source Count Per 30m - Model Gen" that builds the model for network_traffic_src_count_30m
with fit densityfunction
. Then it also finds the rule called "Network - Unusual Volume of Network Activity - Rule" that applies data to the model and finds the outliers using apply
and the `get_qualitative_upper_threshold(extreme)`
macro.
Example search:
| savedsearch "Audit - Searches using an MLTK Model" model_name=network_traffic_src_count_30m
Example results:
eai:acl.app | title | search |
---|---|---|
SA-NetworkProtection | Network - Traffic Source Count Per 30m - Model Gen | tstats `summariesonly` dc(all_traffic.src) as src_count from datamodel=network_traffic.all_traffic by _time span=30m | fit densityfunction src_count dist=norm into app:network_traffic_src_count_30m |
DA-ESS-NetworkProtection | Network - Unusual Volume of Network Activity - Rule | tstats `summariesonly` dc(all_traffic.src) as src_count,count as total_count from datamodel=network_traffic.all_traffic | localop | apply network_traffic_src_count_30m [|`get_qualitative_upper_threshold(extreme)`] | apply network_traffic_count_30m [|`get_qualitative_upper_threshold(extreme)`] | search "isoutlier(src_count)"=1 or "isoutlier(total_count)"=1 |
Machine Learning Toolkit Overview in Splunk Enterprise Security | Machine Learning Toolkit Macros in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0
Feedback submitted, thanks!