Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Manage behavioral analytics service detections in Splunk Enterprise Security

This topic applies only to customers on the Splunk Cloud platform.

Follow these steps to view behavioral analytics (BA) service detections in Splunk Enterprise Security:

  1. Click Configure > Content > Content Management to view the list of detections if your BA service is turned on.
  2. Click on a detection to view the detection details.
    To filter for Behavioral Analytics detections, change the Type filter to Behavioral Analytics or change the App filter to Behavioral Analytics Service.
    For example, you can view the following information about any detection:
    • The detection version, date, related analytic story, and what data is needed to trigger the detection.
    • The related security framework mapping such as MITRE Technique, Cyber Kill Chain, CIS20, and NIST.
    • The SPL used find this detection.

Use test index (ba_test) to reduce alert volume from behavioral analytics detections

Behavioral analytics service detections create events in Splunk Enterprise Security. However, you have the option to forward the events from a behavioral service detection to a test index (ba_test) instead of the risk index. Forwarding events to a test index (ba_test) helps you to preview events that might otherwise be written to the risk index without corrupting your risk based alerting framework and reduces the alert volume. Therefore, a test index (ba_test) serves as a sandbox for experimenting with events and identify meaningful detections, which create risk events without impacting your production environment.

When the behavioral analytics service detections are initially enabled, events are forwarded to the test index (ba_test) by default.

You can visualize events in the test index (ba_test) and risk index using the Risk Analysis dashboard. For more information on the Risk Analysis dashboard, see Risk Analysis.

Turn on or turn off detections in Splunk Enterprise Security

  1. In Splunk Enterprise Security, navigate to Configure > Content > Content Management to display the list of available detections.
  2. Click the link for the detection that you want to turn on in the risk index.
  3. Click Turn on in risk index to turn on the detections in the risk index.
  4. Click Turn on in test index (ba_test) to turn on the detection in the test index (ba_test).

    Events generated from behavioral analytics service detections are moved to the test index (ba_test) by default.

  5. Click Turn off to turn off a detection so that it does not create events in any index.

Alternatively, you can bulk update the detections by selecting the checkbox next to the detections. In the Actions dropdown, select Turn on in test index or Turn on in risk index or Turn off to turn on or turn off the detection as required.

Enable modular inputs to ingest data and enrich detections

For Splunk Enterprise Security versions 7.1.x and 7.2.x, you can enable the asset and identity modular inputs such as ES Asset Exporter and ES Identity Exporter by navigating to Settings > Data inputs > ES Asset Exporter or ES identity Exporter so that you can ingest data into the behavioral analytics service to enrich detections. For more information on modular inputs, see Overview of modular inputs.

For Splunk Enterprise Security versions 7.3 and higher, the asset and identity modular inputs such as ES Asset Exporter and ES Identity Exporter are enabled by default for premium tier customers. For customers who have not upgraded to the premium tier, these modular inputs might be enabled but are passive and do not transfer any data.

Last modified on 16 November, 2023
Supported detections in behavioral analytics service  

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters