Splunk® Enterprise Security

Detect Unknown Threats with Behavioral Analytics Service

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Integrate risk analysis between Splunk ES and behavioral analytics service

Leverage the high-fidelity notable events and risk events in your existing Splunk Enterprise Security (ES) in Splunk Cloud Platform environment to affect entity risk levels in behavior analytics service. You can use the Splunk Connect for Mission Control app to ingest notable events and risk events from correlation searches along with their corresponding risk factors from Splunk ES.

Risk factors defined in Splunk ES are used to adjust or weigh risk scores associated with specific risk objects based on certain conditions. For example, high-risk devices in your environment can have risk factors to increase the score against those devices relative to other devices. The same entities in behavioral analytics service reflect the defined risk factors so that the entity risk levels are similar, even if the scores are on different scales.

Risk scores in Splunk ES do not have any upper limit, while risk scores in behavioral analytics service fall between 0 - 100. Unifying risk between Splunk ES and Splunk Behavioral Analytics means that an entity with a relative high risk score in Splunk ES would also have a high risk score in behavioral analytics service, even though the numerical risk score may be quite different in each environment.

Enable the search for ingesting notable events and risk events

Enable the required search to integrate Splunk ES risk factors with behavioral analytics service:

  1. In Splunk Web, click Settings.
  2. Click Searches, Reports, and Alerts.
  3. Change the selection for the App filter to splunk-connect-for-mission-control.
  4. Locate the Behavioral Analytics - Forward Risk Data Model Events - Ingestion search and click Edit > Enable.

Required fields for notable events

The following fields must be present in the notable event from Splunk ES in order for behavioral analytics service to extract the entity for risk analysis:

  • To extract a device, the notable event must have at least one of these fields:
    • src
    • dest
    • dvc
    • orig_host
    • dest_ip
    • dest_mac
    • src_ip
    • src_mac
  • To extract a user, the notable event must have at least one of these fields:
    • src_user
    • user

In some cases, custom correlation searches can produce notable events with fields that do not map to standard Common Information Model (CIM) fields. These notable events are not used for risk analysis scoring.

Last modified on 10 January, 2022
View behavioral analytics service detections and details   Search for enriched events from Splunk Mission Control

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters