Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Manage behavioral analytics service detections in Splunk Enterprise Security

This topic applies only to customers on the Splunk Cloud platform.

Follow these steps to view behavioral analytics (BA) service detections in Splunk Enterprise Security:

  1. Click Configure > Content > Content Management to view the list of detections if your BA service is turned on.
  2. Click on a detection to view the detection details.
    To filter for Behavioral Analytics detections, change the Type filter to Behavioral Analytics or change the App filter to Behavioral Analytics Service.
    For example, you can view the following information about any detection:
    • The detection version, date, related analytic story, and what data is needed to trigger the detection.
    • The related security framework mapping such as MITRE Technique, Cyber Kill Chain, CIS20, and NIST.
    • The SPL used find this detection.

Use test index (ba_test) to reduce alert volume from behavioral analytics detections

Behavioral analytics service detections create events in Splunk Enterprise Security. However, you have the option to forward the events from a behavioral service detection to a test index (ba_test) instead of the risk index. Forwarding events to a test index (ba_test) helps you to preview events that might otherwise be written to the risk index without corrupting your risk based alerting framework and reduces the alert volume. Therefore, a test index (ba_test) serves as a sandbox for experimenting with events and identify meaningful detections, which create risk events without impacting your production environment.

When the behavioral analytics service detections are initially enabled, events are forwarded to the test index (ba_test) by default.

You can visualize events in the test index (ba_test) and risk index using the Risk Analysis dashboard. For more information on the Risk Analysis dashboard, see Risk Analysis.

Turn on or turn off detections in Splunk Enterprise Security

  1. In Splunk Enterprise Security, navigate to Configure > Content > Content Management to display the list of available detections.
  2. Click the link for the detection that you want to turn on in the risk index.
  3. Click Turn on in risk index to turn on the detections in the risk index.
  4. Click Turn on in test index (ba_test) to turn on the detection in the test index (ba_test).

    Events generated from behavioral analytics service detections are moved to the test index (ba_test) by default.

  5. Click Turn off to turn off a detection so that it does not create events in any index.

Alternatively, you can bulk update the detections by selecting the checkbox next to the detections. In the Actions dropdown, select Turn on in test index or Turn on in risk index or Turn off to turn on or turn off the detection as required.

Last modified on 15 November, 2023
Supported detections in behavioral analytics service  

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters