Manage behavioral analytics service detections in Splunk Enterprise Security
Follow these steps to view behavioral analytics (BA) service detections in Splunk Enterprise Security:
- Click Configure > Content > Content Management to view the list of detections if your BA service is enabled.
- Click on a detection to view the detection details.
To filter for Behavioral Analytics detections, change the Type filter to Behavioral Analytics or change the App filter to Behavioral Analytics Service.
For example, you can view the following information about any detection:
- The detection version, date, related analytic story, and what data is needed to trigger the detection.
- The related security framework mapping such as MITRE Technique, Cyber Kill Chain, CIS20, and NIST.
- The SPL used find this detection.
Use test index to reduce alert volume from behavioral analytics detections
Behavioral analytics service detections create events in Splunk Enterprise Security. However, you have the option to forward the events from a behavioral service detection to a test index instead of the risk index. Forwarding events to a test index helps you to preview events that might otherwise be written to the risk index without corrupting your risk based alerting framework and reduces the alert volume. Therefore, a test index serves as a sandbox for experimenting with events and identify meaningful detections, which create risk events without impacting your production environment.
Enable or disable detections in Splunk Enterprise Security
- In Splunk Enterprise Security, navigate to Configure > Content > Content Management to display the list of available detections.
- Click the link for the detection that you want to enable in the risk index.
- Click Enable in risk index to enable the detections in the risk index.
- Click Enable in test index to enable the detection in the test index.
Events generated from behavioral analytics service detections are moved to the test index by default.
- Click Disable to disable a detection so that it does not create events in any index.
Alternatively, you can bulk update the detections by selecting the checkbox next to the detections. In the Actions dropdown, select Enable in test index or Enable in risk index or Disable to enable or disable the detection as required.
Supported detections in behavioral analytics service
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0
Feedback submitted, thanks!