Splunk® Enterprise Security

Detect Unknown Threats with Behavioral Analytics Service

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Data flow overview for behavioral analytics service

The following image summarizes how data gets into behavioral analytics service and is eventually viewed in the behavioral analytics service web interface. Each component in the flow is described in the table immediately following the image.

This image shows the data flow from an on-premises heavy forwarder to the behavioral analytics service web interface. The items in the image are described in the table immediately following the image, from left-to-right.

Component Description
Heavy Forwarder The heavy forwarder sends each raw event to the following:
  • Your Splunk Enterprise Security (ES) deployment in Splunk Cloud Platform, for use with Splunk Mission Control.
  • The Splunk Stream Processing Service (SPS). This is the event that is used by behavioral analytics service.

See Get data into behavioral analytics service for instructions.

Do not modify or edit any of the Splunk SPS pipelines provisioned for behavioral analytics service.

Forwarders Service The Forwarders service in Splunk Cloud Platform aggregates, formats, and routes data in real-time from the heavy forwarder to Splunk Mission Control.
Identity Resolution Behavioral analytics service performs identity resolution to associate each event with an originating device or user. See How behavioral analytics service performs identity resolution to associate data with entities.
Detections Behavioral analytics service generates detections based on the data in the system. See Supported detections in behavioral analytics service for a complete list of supported detections.
Risk Analysis Anomalies are assigned a score, and algorithms are further applied until a normalized risk score is generated for each entity. See How behavioral analytics service calculates risk scores.
Behavioral Analytics Service Web Interface

In multi-tenant environments, onboarded data from each tenant is tagged with its own unique tenant ID, then enriched and parsed by Splunk Cloud Platform and behavioral analytics service. Then, entities and detections are sent to their respective tenants and can be viewed in the behavioral analytics service web interface.

The following image summarizes the data flow in a multi-tenant environment:

This image shows the data flow in a multi-tenant environment from an on-premises heavy forwarder to the behavioral analytics service web interface. The items in the image are described in the table above the image, from left-to-right.

Last modified on 05 January, 2023
PREVIOUS
Send findings for risk analysis using the Finding Report schema 		  NEXT
Perform identity resolution to associate data with entities in behavioral analytics service

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters