Manage behavioral analytics service detections in Splunk Enterprise Security

This topic applies only to customers on the Splunk Cloud platform.

Follow these steps to view behavioral analytics (BA) service detections in Splunk Enterprise Security:

1. In Splunk Enterprise Security, select Security content and then select Content management to view the list of detections if the behavioral analytics service is turned on.
2. Select a detection to view the detection details.
   To filter for behavioral analytics detections, change the Type filter to Behavioral analytics or change the App filter to Behavioral analytics service.
   For example, you can view the following information about any detection:
• The detection version, date, related analytic story, and what data is needed to trigger the detection.
• The related security framework mapping such as MITRE Technique, Cyber Kill Chain, CIS20, and NIST.
• The SPL used find this detection.

Use test index (ba_test) to reduce alert volume from behavioral analytics detections

Behavioral analytics service detections create events in Splunk Enterprise Security. However, you have the option to forward the events from a behavioral service detection to a test index (ba_test) instead of the risk index. Forwarding events to a test index (ba_test) helps you to preview events that might otherwise be written to the risk index without corrupting your risk based alerting framework and reduces the alert volume. Therefore, a test index (ba_test) serves as a sandbox for experimenting with events and identify meaningful detections, which create risk events without impacting your production environment.

When the behavioral analytics service detections are initially enabled, events are forwarded to the test index (ba_test) by default.

You can visualize events in the test index (ba_test) and risk index using the Risk analysis dashboard.

Turn on or turn off detections in Splunk Enterprise Security

1. In Splunk Enterprise Security, navigate to Security content and then select Content Management to display the list of available detections.
2. Select the link for the detection that you want to turn on in the risk index.
3. Select Turn on in risk index to turn on the detections in the risk index.
4. Select Turn on in test index (ba_test) to turn on the detection in the test index (ba_test).

   Events generated from behavioral analytics service detections are moved to the test index (ba_test) by default.

5. Select Turn off to turn off a detection so that it does not create events in any index.

Enable modular inputs to ingest data and enrich detections

For Splunk Enterprise Security versions 7.1.x and 7.2.x, you can turn on the asset and identity modular inputs such as ES Asset Exporter and ES Identity Exporter. Follow these steps to turn on the asset and identity modular inputs:

1. Go to Settings and select Data inputs.
2. Go to ES Asset Exporter or ES identity Exporter so that you can ingest data into the behavioral analytics service to enrich detections.

For Splunk Enterprise Security versions 7.3 and higher, the asset and identity modular inputs such as ES Asset Exporter and ES Identity Exporter are turned on by default for premium tier customers. For customers who have not upgraded to the premium tier, these modular inputs might be turned on but are passive and do not transfer any data.

See also

For more information on the dashboards and modular inputs, see the product documentation:

• Risk Analysis.
• Overview of modular inputs in the Splunk Developer documentation.