Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Integrate risk analysis between Splunk Enterprise Security and behavioral analytics service

Leverage the notables and risk events from your existing Splunk Enterprise Security instances in a Splunk Cloud Platform environment to impact the risk levels of entities in behavioral analytics service. You can ingest notable events and risk events from correlation searches along with their corresponding risk factors from Splunk Enterprise Security.

Risk factors defined in Splunk Enterprise Security adjust or weigh risk scores associated with specific risk objects based on certain conditions. For example, high-risk devices in your environment can have risk factors to increase the score against those devices relative to other devices. The same entities in behavioral analytics service reflect the defined risk factors so that the entity risk levels are similar, even if the scores are on different scales.

Risk scores in Splunk Enterprise Security do not have any upper limit, while risk scores in behavioral analytics service fall between 0 and 100. Unifying risk between Splunk Enterprise Security and behavioral analytics service means that an entity with a relatively high risk score in Splunk Enterprise Security also has a high risk score in behavioral analytics service, even though the numerical risk score might be different in each environment.

Enable the search for ingesting notable events and risk events

Follow these steps to enable the search to integrate Splunk Enterprise Security risk factors with the behavioral analytics service:

  1. In Splunk Web, select Settings.
  2. Select Searches, Reports, and Alerts.
  3. Change the selection for the App filter to splunk-connect-for-mission-control.
  4. Locate the Behavioral Analytics - Forward Risk Data Model Events - Ingestion search and select Edit > Enable.

Required fields for notable events

The following fields must be present in the notable event from Splunk Enterprise Security so that behavioral analytics service can extract the entity for risk analysis:

  • To extract a device, the notable event must have at least one of these fields:
    • src
    • dest
    • dvc
    • orig_host
    • dest_ip
    • dest_mac
    • src_ip
    • src_mac
  • To extract a user, the notable event must have at least one of these fields:
    • src_user
    • user

In some cases, custom correlation searches can produce notable events with fields that do not map to standard Common Information Model (CIM) fields. These notable events are not used for risk analysis scoring.

See also

For more information on using behavioral analytics service in Splunk Enterprise Security, see the product documentation.

Use behavioral analytics service with Splunk Enterprise Security 7.1.0 or higher

Enable behavioral analytics service on Splunk Enterprise Security

Creating risk notables using the behavioral analytics service

Last modified on 22 August, 2023
PREVIOUS
Create a risk message to add context for investigations
  NEXT
Creating risk notables using the behavioral analytics service

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters