Splunk® Enterprise Security

Detect Unknown Threats with Behavioral Analytics Service

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Enrich events using identity resolution and assets and identities data in behavioral analytics service

Behavioral analytics service uses a combination of identity resolution and assets and identities data from Splunk Enterprise Security (ES) to enrich raw events as they are ingested. First, the raw event is parsed using identity resolution. Then, if assets and identities data from Splunk ES is available, the resolved entity is further decorated with the assets and identities data.

The enriched events are stored in the ueba_cloud_enriched_events index in Splunk Cloud Platform Services for 90 days, and you can search them using Splunk Mission Control. See Search for enriched events from Splunk Mission Control.

See the following documentation for more information about identity resolution and asset and identitiy data, respectively:

Example: Enriching events without assets and identities data

The following example shows how behavioral analytics service can enrich an event without having assets and identities data in the system:

  • Behavioral analytics service receives an event with the IP address 10.10.10.10 and host name host1.
  • Behavioral analytics service receives a second event with only the IP address 10.10.10.10.

Behavioral analytics service can enrich the second event to include the host name host1 even without assets and identities data from Splunk ES, because the IP address and host name association is already made from the first event using identity resolution.

Example: Enriching events with assets and identities

The following example shows how behavioral analytics service can enrich an event using assets and identities data from Splunk ES:

  • Behavioral analytics service receives an event with the user name jsmith.
  • Behavioral analytics service receives assets and identities data from Splunk ES mapping the user name jsmith to the user John Smith.

Behavioral analytics service enriches the event to add the human user John Smith.

Example: Enriching events using both identity resolution and assets and identities data

The following example shows how behavioral analytics service enriches events using both identity resolution and assets and identities data.

  • Behavioral analytics service receives an event with the IP address 10.10.10.10 and user name jsmith.
  • Behavioral analytics service receives a second event with only the IP address 10.10.10.10.
  • Behavioral analytics service receives assets and identities data from Splunk ES mapping the user name jsmith to the user Jane Smith.

Behavioral analytics service enriches the second event with the user name jsmith from identity resolution, and enriches both events with the human user Jane Smith using assets and identities data.

Last modified on 10 January, 2022
Perform identity resolution to associate data with entities in behavioral analytics service   How behavioral analytics service calculates risk scores

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters