Splunk® Enterprise Security

Detect Unknown Threats with Behavioral Analytics Service

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Perform identity resolution to associate data with entities in behavioral analytics service

Behavioral analytics service performs identity resolution on all events to associate them with an originating user and device. Behavioral analytics service builds a database of identity relationships using the following data:

Using the identity database, identity resolution is applied to all events in an attempt to associate each event to a specific device, such as a single IP address, MAC address, or hostname, or a user. Behavioral analytics service also generates a unique ID for each device and user as part of identity resolution, and enriches the raw event by assigning the device ID to the device_id field and the user ID to the user_id field. See Enrich events using identity resolution and assets and identities data in behavioral analytics service.

How behavioral analytics service handles out-of-order events

Events from the multitude of devices in your network arrive in behavioral analytics service at various times. There can be cases where an event from a network device arrives earlier than the DHCP event that is used to properly resolve the network event to a specific user or device. Behavioral analytics service can detect this difference and apply a slight delay before performing identity resolution on the network event.

Behavioral analytics service doesn't update existing anomalies using identity resolution

Once an anomaly is generated, the information associated with the anomaly is not updated. For example, there may be anomaly showing an IP address, but later on some DNS data arrives so that the IP address can be resolved to a domain name. The existing anomaly is not updated to use the domain name as it is unknown if the IP address was associated to the domain name at the time of detection. Updates to assets and identities data ingested from Splunk ES on Splunk Cloud Platform are reflected in the entities.

Last modified on 05 January, 2023
PREVIOUS
Data flow overview for behavioral analytics service 		  NEXT
Enrich events using identity resolution and assets and identities data in behavioral analytics service

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters