Skip to main content
Splunk® Enterprise Security

Administer Splunk Enterprise Security

Splunk® Enterprise Security
7.1.1
The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. To resolve redirect errors, you must use the version selector on the ES documentation homepage to navigate between the versions.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Supported data sources in behavioral analytics service

This topic applies only to customers on the Splunk Cloud platform.

Behavioral analytics service uses data sources to generate anomalies.

The following table identifies the source types supported by universal forwarders:

Data source Sourcetype for universal forwarder
Windows security logs XmlWinEventLog:Security

Windows event IDs supported in Splunk Behavioral Analytics

The following table summarizes the Microsoft Windows event IDs used by behavioral analytics service. See Configure Windows event logging to ensure the proper events are logged for instructions to properly log Microsoft Windows events.

Event ID Description Supported for XmlWinEventLog
4103 Windows license activation failed Yes
4104 PowerShell script block logging Yes
4624 An account was successfully logged on Yes
4625 An account failed to log on Yes
4661 A handle to an object was requested Yes
4662 An operation was performed on an object Yes
4663 An attempt was made to access an object Yes
4673 A privileged service was called Yes
4688 A new process has been created Yes
4689 A process has exited Yes
5145 A network share object was checked to see whether client can be granted desired access Yes


Data source sample events and fields mappings

Behavioral analytics service extracts and maps the values from specific fields in each data source to be used by its models. Expand each Fields and Mapping section to see how fields in raw events are mapped. The tables in the Field and Mapping section contain the following information:

Table column Description
Raw event field name The original value of the field in the raw event.
Behavioral analytics service token name What the field in the raw event is mapped to in behavioral analytics service. For example, the raw event may contain a field named threatURL, but the models in behavioral analytics service require a field named threat_url.
Behavioral analytics service entity/field type The field used to enrich entities with assets and identities data. For example, a local_ip field in the raw event marked as dest_user/DNS in the table defines the database table used to perform the lookup, so DNS addresses are searched when performing the lookup instead of IP tables.
Behavioral analytics service data model Data models in behavioral analytics service normalize data into specific categories like Authorization or Endpoint. The detections in the system run queries against this normalized data instead of running vendor-specific queries.

XmlWinEventLog logs

Sample Event

Expand

Sample XmlWinEventLog events

Fields and Mapping

Expand

Fields and mapping

Last modified on 16 November, 2023
Machine Learning Toolkit Troubleshooting in Splunk Enterprise Security   Configure Windows event logging to ensure the proper events are logged

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.1, 7.1.2, 7.2.0


Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters