Splunk® Enterprise Security

Detect Unknown Threats with Behavioral Analytics Service

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Investigate hidden threats in behavioral analytics service

Use the Entities page in behavioral analytics service to begin your investigation for hidden and unknown threats. For example, suppose you are investigating a notable in Splunk Mission Control, and want to see if behavioral analytics service can provide additional insight or supporting evidence. The entity in question might have a low risk score, but you can examine the entity to see all the anomalies associated with that entity over time and uncover some abnormal behavior warranting further investigation. You can also begin an investigation in behavioral analytics service and create a notable in Splunk Mission Control if you discover sufficient evidence.

Access the Entities page to begin investigating hidden threats

From Splunk Mission Control, click Investigation > Entities to access the behavioral analytics service Entities list and Treemap.

Entities are users or devices in your environment. See How to import assets and identities data from Splunk ES on Splunk Cloud Platform into behavioral analytics service for information about how this data gets into behavioral analytics service.

The entities with the highest risk score appear at the top of the Entities list. Use the Treemap to quickly identify the entities with the highest number of anomalies. The larger the box, the higher the number of anomalies associated with that entity.

This image shows the entity list and treemap in the behavioral analytics service user interface. The main elements are described in the section immediately following the image.

View and filter the entities in the Entities list to begin a specific investigation

The Entities list shows you the entities being managed by behavioral analytics service in descending order by risk score. Entities with a risk score of 100 appear at the top of the list, and entities with a risk score of 0 appear at the bottom of the list. Note that only entities with a prior risk score greater than 0 and with a current risk score of 0 appear at the bottom of the Entities list. Entities with no prior risk or risk score do not appear on the Entities list.

Scroll through the list as needed to see entities with a lower risk score. See How behavioral analytics service calculates and maintains risk levels and risk scores for more information about the normalized entity risk scores.

Filter the entities you see on this page by type and score

You can filter the entities you see on this page by compute window, type, and score. For example, click All Scores and select Critical (91-100) so that only entities with a critical risk score appear on the Entities page. Further refine the list by clicking All Types and selecting Users so that devices do not appear on the page.

You can reset all filters to their default values to begin a new investigation by clicking Reset. By default, entities of all types and scores are listed based on risk scores computed from anomalies in the past 24 hours.

Filter the entities you see on this page by compute window

Behavioral analytics service standardizes all events to use UTC-7 time. By default, entities are ranked by their normalized risk scores based on anomalies detected in the past 24 hours. Select 7 Days to view the entities based on their normalized risk scores over the past 6 days plus back to 07:00:00 UTC on the seventh day.

  • The 24 Hours compute window is a rolling window with a granularity of 1 hour.
  • The 7 Days compute window is a rolling window with a granularity of 1 day.

The following example shows the time windows considered for entity scoring using October 8 as the current date and 07:00:00 UTC as the current time:

This image shows a timeline from October 1 on the left to October 8 on the right. There are four items labeled along the timeline: Anomaly C on October 1, Anomaly B on October 6, Anomaly C on October 8, and the current time which is the farthest item to the right on October 8.

The following table summarizes how the anomalies in the timeline are considered for entity scoring.

Anomaly Anomaly date and time Is the anomaly considered for entity scoring?
Anomaly A October 8, 04:00:00 UTC Yes, if you select either 24 Hours or 7 Days as the compute window.
Anomaly B October 6, 04:00:00 UTC
  • No, if you select 24 Hours as the compute window.
  • Yes, if you select 7 Days as the compute window.
Anomaly C October 1, 04:00:00 UTC No for both compute windows. This anomaly is outside of both compute windows and is not considered in any entity scoring computation.

Use the Treemap to quickly find the entities with the most anomalies

The Treemap provides an alternative visual and can help you quickly identify the entities in your organization with the highest number of anomalies.

The color of the box represents the risk score, and the size of the box represents the number of anomalies associated with the entity. If two entities have the same risk score but one entity has a larger box, the entity with the larger box has more anomalies associated with it than the entity with the smaller box. The entities with the highest risk score appear in the top-left portion of the treemap.

See How behavioral analytics service calculates and maintains risk levels and risk scores for more information about the normalized entity risk scores.

Click the gear icon to edit the treemap settings:

  1. Use the Density slider to restrict the number of entities shown in the treemap. For example, setting the slider to 20 causes fewer entities to show than setting the slider to 80.
  2. View the color key used in the treemap. The colors used in the severity levels match the colors used in Splunk Mission Control.
    Color Corresponding risk level Corresponding risk score
    Red Critical 91 - 100
    Orange High 61 - 90
    Yellow Medium 31 - 60
    White Low 0 - 30

View details about a specific entity

You can drill down to view details for any entity by performing one of the following tasks:

  • Click on any entity in the entity list. Click on the entity to open the entity details in the same browser tab, or use command + click on MacOS or Ctrl + click on Windows to open the entity details in a new tab.
  • Click on any entity in the treemap, then click View details. Click View details to open the entity details in the same browser tab, or use command + click on MacOS or Ctrl + click on Windows to open the entity details in a new tab.

See Drill down to view entity details.

Last modified on 11 January, 2022
Generate a sample detection in behavioral analytics service   Drill down to view entity details in behavioral analytics service

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters