Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Configure data models to normalize data for Splunk Enterprise Security

Use the Splunk Common Information Model (CIM) to organize your data into a schema for Splunk Enterprise Security. For example, the Authentication data model can ingest data from multiple sources such as Windows, Cloud Platforms, and VPN logs and ensure that they use the same fields, such as src, user, and action, which makes reviewing events easier. Data models group normalized events that exist in different indexes and source types and help to review the performance, accuracy, and data diversity in your security organization. Mapping data sources to data models allows you visibility across all relevant sources for threat detection. Create risk incident rules only after organizing your data using data models.

Modifications to the CIM must be made only after consulting with the Splunk Professional Services team.

To identify the data that you need to adjust, download the Outpost - Data Model Mechanic app from Splunkbase.

You can add new fields to your CIM data model if you find fields that might provide useful context for your investigations. Do not constrain yourself with fields that exist in CIM data models. Additionally, you can identify the exact information you want from your data fields by using the regex command or lookups. However, an upgrade that impacts data models overwrites custom changes to fields. You must track any unique fields that you added to the data model during upgrades, recreate those fields and ensure that your data post an upgrade similar to the data prior to an upgrade.

Use the Splunk SA CIM in Docker Upgrade to compare and upgrade Splunk CIM data models.

Use accelerated data models and the tstat command to identify the fields that are relevant to your data model. Using accelerated data models requires additional space on search heads.

Follow these steps to configure data models for risk-based alerting:

  1. Audit your data model performance.
    In Splunk Enterprise Security, navigate to Audit > Datamodel Audit to check the data model accelerations and acceleration time frames.
    Alternatively, you can enter the following in your browser to audit your data models:
    https://<SPLUNK instance>/en-US/app/SplunkEnterpriseSecuritySuite/datamodel_audit
  2. Check that the indexes feeding the CIM data models are accurate by verifying that the data models are tagged clearly and consistently.
    In Splunk Enterprise Security, navigate to Configure > CIM Setup to check the data model settings and index configurations.
    Alternatively, you can type the following in your browser to verify the data model configurations:
    https://<SPLUNK instance>/en-US/app/SplunkEnterpriseSecuritySuite/cim_setup
  3. Check the diversity of your network data by reviewing network traffic, web, intrusion detection system (IDS), email, and authentication. You might also review the endpoints, network sessions, and network resolutions in your security environment to ensure that you analyze a large and varied dataset and assess threats effectively.

See also

For more information about data models, see the product documentation:

Create and manage data models in Splunk Enterprise Security

Data source planning for Splunk Enterprise Security in the Splunk Enterprise Security Installation and Upgrade Manual.

Last modified on 08 January, 2024
Update assets and identities to add context for risk based alerting   Creating allow lists to reduce noisy alert volume

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters