Integrate risk analysis between Splunk ES and behavioral analytics service
Leverage the high-fidelity notable events and risk events in your existing Splunk Enterprise Security (ES) in Splunk Cloud Platform environment to affect entity risk levels in behavior analytics service. You can use the Splunk Connect for Mission Control app to ingest notable events and risk events from correlation searches along with their corresponding risk factors from Splunk ES.
Risk factors defined in Splunk ES are used to adjust or weigh risk scores associated with specific risk objects based on certain conditions. For example, high-risk devices in your environment can have risk factors to increase the score against those devices relative to other devices. The same entities in behavioral analytics service reflect the defined risk factors so that the entity risk levels are similar, even if the scores are on different scales.
Risk scores in Splunk ES do not have any upper limit, while risk scores in behavioral analytics service fall between 0 - 100. Unifying risk between Splunk ES and Splunk Behavioral Analytics means that an entity with a relative high risk score in Splunk ES would also have a high risk score in behavioral analytics service, even though the numerical risk score may be quite different in each environment.
Enable the search for ingesting notable events and risk events
Enable the required search to integrate Splunk ES risk factors with behavioral analytics service:
- In Splunk Web, click Settings.
- Click Searches, Reports, and Alerts.
- Change the selection for the App filter to splunk-connect-for-mission-control.
- Locate the Behavioral Analytics - Forward Risk Data Model Events - Ingestion search and click Edit > Enable.
Required fields for notable events
The following fields must be present in the notable event from Splunk ES in order for behavioral analytics service to extract the entity for risk analysis:
- To extract a device, the notable event must have at least one of these fields:
- src
- dest
- dvc
- orig_host
- dest_ip
- dest_mac
- src_ip
- src_mac
- To extract a user, the notable event must have at least one of these fields:
- src_user
- user
In some cases, custom correlation searches can produce notable events with fields that do not map to standard Common Information Model (CIM) fields. These notable events are not used for risk analysis scoring.
View behavioral analytics service detections and details | Search for enriched events from Splunk Mission Control |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0
Feedback submitted, thanks!