Close threats in Splunk UBA
Understand how Splunk UBA threats can be closed and also what happens to other components in the system when threats are closed.
How Splunk UBA threats are closed
Splunk UBA threats can be manually closed or automatically closed by Splunk UBA.
- Threats automatically closed by Splunk UBA are marked as Closed By System.
- Threats manually closed by a user are marked as Closed By User.
When are threats closed by the system?
Threats can be automatically closed by Splunk UBA under the following circumstances:
- Upon recomputation, when Splunk UBA runs the threat rules or models each night, it is determined that a threat is no longer valid. For example, this can happen if the entity and anomaly risk scores become lower, thus making the threat no longer valid. In such cases, Splunk UBA automatically closes the threat.
- A threat rule is deleted. When this happens, all of the corresponding threats generated by that rule are deleted by Splunk UBA.
When are threats closed by the user?
Sometimes, anomalies are created that generate a threat but upon further investigation, the threat does not represent a real threat in your environment. For example:
- A department-wide password expiration, rather than brute force attack attempts, led to abnormal numbers of login failures and threat creation.
- Atypical location behavior was observed for a user, such as a user who was working remotely for a week.
In such cases, you can manually close the threat as Not a Threat.
How does closing a threat affect other Splunk UBA components?
When a threat is closed, it is kept in the database and is not deleted from Splunk UBA. If the threat is also being managed in Splunk Enterprise Security (ES) as a notable event, the status of the threat is synchronized with Splunk ES. See How threats and notables are synchronized in the Send and Receive Data from the Splunk Platform manual.
Threats closed as Not a Threat do not get raised again in Splunk UBA, meaning that a threat involving identical entities and behaviors is not generated again after you close the threat, even if those entities and behaviors remain in Splunk UBA. However, closing a threat does not affect the models in any way, so different entities with the same behavior would generate a new threat. See the table for more information.
TImeline | Description | Threat generated |
---|---|---|
May 1 | A new threat is generated involving user JohnA and the devices 10.4.5.6 and 100.4.5.6. | Lateral Movement, with the threat ID 001. |
May 2 | Upon investigation, the threat generated on May 1 was a false positive, and is marked and closed as such in Splunk UBA. No devices are whitelisted when the threat is closed, meaning that threats involving the same devices can be raised again. See How to close a threat in Splunk UBA. | None. |
May 3 | The same lateral movement behavior is seen with a different user JaneA and the devices 10.4.5.6 and 100.4.5.6. Because a different user is involved, a new threat is generated. | Lateral Movement, with the threat ID 002. |
May 4 | Upon investigation, the threat generated on May 3 is also not a threat because the device 10.4.5.6 is a trusted multi-host device and should be whitelisted. The threat is closed by whitelisting the device 10.4.5.6. | None. |
May 5 | Addtional lateral movement behavior is seen in the system with user JohnA and the devices 10.4.5.6 and 100.4.5.6. Because the entities and behavior involved are the same as the threat that was closed earlier, no new threat is raised. | None. |
May 6 | Lateral movement behavior patterns are detected for user JohnB and the device 10.4.5.6. Because this device was whitelisted on May 4, no threat is generated by this activity. | None. |
May 6 | Lateral movement behavior patterns are detected for user JaneB and the devices 10.4.5.6 and 100.4.5.6. Since the device 100.4.5.6 is not whitelisted and JaneB is a new entity, a threat is generated for this activity, even though device 10.4.5.6 is whitelisted. | Lateral Movement, with the threat ID 003. |
Closing a threat affects user and device scores when the entity scoring process is run, once per day. See /var/log/caspida/system/EntityScoreUpdateExecutor.log
for the log.
The audit logs in Splunk UBA are updated when a threat is closed.
How to close a threat in Splunk UBA
Perform the following tasks to close a threat in Splunk UBA:
- Open the Threat Details for the threat.
- Select an Action of Not a Threat.
- Additional options vary depending on the specific threat. Any threat containing an external device or domain will have the following options. Select one to close the threat. If the threat does not contain any external devices or domains, skip this step.
Desired result Description After investigating, you want to close the threat as resolved or as a false positive. Selecting this option does not whitelist any devices or domains. Click The threat has been resolved or is false positive. You want to close the threat by whitelisting one or more external devices. - If the threat contains one external device, click The device <device_name> should be whitelisted to add the device to the device whitelist.
- If the threat contains multiple external devices, click One or more devices should be whitelisted, then select the devices you want to add to the device whitelist.
You want to close the threat by whitelisting one or more external domains. - If the threat contains one external domain, click The domain <domain_name> should be whitelisted to add the domain to the domain whitelist.
- If the threat contains multiple external domains, click One or more domains should be whitelisted, then select the domains you want to add to the domain whitelist.
- (Optional) Enter some comments about why you are closing this threat.
- Click OK.
Delete anomalies in Splunk UBA | Investigate and monitor domains |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1
Feedback submitted, thanks!