Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Creating risk notables using the behavioral analytics service

Leverage the supported detections to transform anomalies in the behavioral analytics service to risk notables in Splunk Enterprise Security. Converting these anomalies into risk events lets you avoid false positives but still address all potential risk within your security environment. You can also correlate the specific detections in behavioral analytics service with risk objects to set risk thresholds.

Risk factors defined in Splunk Enterprise Security adjust or weigh risk scores associated with specific risk objects based on certain conditions. The same entities in behavioral analytics service reflect the defined risk factors so that the entity risk levels are similar, even if the risk scores are on different scales. As a result, no duplicate notables get created when you leverage behavioral analytics service for risk detection within Splunk Enterprise Security. You can also identify the originating event that generated the risk event within Splunk Enterprise Security. For more information on integrating risk analysis between Splunk Enterprise Security and behavioral analytics service, see Integrate risk analysis between Splunk Enterprise Security and behavioral analytics service.

Notables generated by behavioral analytics service get sent through a pipeline into the risk index in Splunk Enterprise Security using the same Common information Model (CIM) field mappings. The field mappings provided in the following table indicate how the specific fields in behavioral analytics service detections get converted to risk events in Splunk Enterprise Security. Use these field correlations to make adjustments to risk factors and adjust the risk scores for events generated by the behavioral analytics service.

These field mappings conform to the fields in the Risk Analysis data model that describes the data generated by the risk framework in Splunk Enterprise Security. For more information on the fields in the Risk Analysis data model, see Risk Analysis data model fields.

To file a ticket on the Splunk Support Portal for help with field mappings, see Support and Services.

Each event creates one risk event in the detection.

Behavioral analytics service detection Splunk Enterprise Security risk event Example of field value
detection_name search_name search_name="BA - Detect Dump LSASS Memory using comsvcs - Rule"
entity_id risk_object risk_object="device001"
entity_type risk_object_type risk_object_type="system"
risk_score risk_score risk_score=70
cis_controls

nist_categories
kill_chain_phases
mitre_technique_ids

annotations annotations={cis20:[""], kill_chain_phases:["Exploitation"], nist=["PR.DS","PR.IP"], mitre_attack=["T1489"]}
detection_id detection_id*

This is an additional field, which is not included in the risk event schema.

detection_id="76bb9e35-f314-4c3d-a385-83c72a13ce4e"
detection_version detection_version*

This is an additional field, which is not included in risk event schema.

version=2
start_time info_min_time info_min_time=1647574000
end_time info_max_time info_max_time=1647575000
Other fields generated by the detection such as cmd_line, parent_process_name Same as in detection*

This is an additional field, which is not included in the risk event schema.

cmd_line="c:\windows\system32\cmd.exe"

parent_process_name="c:\program files\adobe\reader 8.0\reader\acrord32.exe"

See also

For more information on using behavioral analytics service in Splunk Enterprise Security, see the product documentation.

Use behavioral analytics service with Splunk Enterprise Security 7.1.0 or higher

Enable behavioral analytics service on Splunk Enterprise Security

Last modified on 22 August, 2023
Integrate risk analysis between Splunk Enterprise Security and behavioral analytics service   How behavioral analytics service calculates risk scores

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters