Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

Download manual as PDF

Download topic as PDF

Investigate Splunk UBA entities using watchlists

Use watchlists in Splunk UBA to group entities together for additional analysis or investigation. For example, you may discover that a small group of individuals are associated with a high number of flight risk and data exfiltration anomalies. You can group these users together in a watchlist so that further anomalies and threats associated with these users are scored appropriately.

It is important to maintain watchlists to avoid extraneous or irrelevant information. For example, the executive staff may be considered high-risk users as frequent targets of espionage and other malicious behavior, and you can place them on a watchlist to monitor the activity on their accounts more closely. However, changes in the executive staff, such as an employee being promoted to the executive staff or a current executive leaving the company, must be reflected in the watchlists. Users and other entities must be individually and manually added to or removed from watchlists to avoid having outdated information.

Splunk UBA includes several default watchlists aligned with typical use cases and processes in a security operations center. For example, the default watchlists provided by Splunk UBA for anomalies conform to the following scenario:

  1. An anomaly is investigated.
    1. If it not a legitimate anomaly, put it on the False Positive watchlist.
    2. If the anomaly requires further analysis, put it on the Anomaly Watchlist.
  2. From the Anomaly Watchlist, move certain anomalies to the Important watchlist for immediate action.
  3. Once an anomaly is evaluated, put it on the Reviewed watchlist.

You can create your own watchlists in Splunk UBA or use any of the included watchlists. You can assign multiple watchlists of the same type to any single entity. For example, a user can be on more than one user watchlists. Adding an entity to a watchlist in Splunk UBA does not affect any scoring except for the Departing Users, High Risk Users, New Users, and Privileged Users watchlists. These user watchlists are considered high risk by default and some threat models use this as a factor in determining the user's score.

Use anomaly action rules to affect the scoring of entities in any watchlist. You can create a rule for anomalies to automatically be added to a watchlist when specific conditions are met. Anomaly action rules can also consume other watchlists such as user watchlists as a condition. For example, you can write an anomaly action rule to add an anomaly to a watchlist when there are malware anomalies involving a user on the High Risk user watchlist.

The following table summarizes the entities that can be placed on a watchlist, how each entity is added to a watchlist, and the default watchlists that are included with Splunk UBA:

Entity How to add to watchlist
Anomalies Use one of the following methods to add anomalies to a watchlist:
  1. Add anomalies one at a time from the Anomaly Details page.
  2. Create an Anomaly Action Rule to add any anomaly that matches a filter to a watchlist. See Take action on anomalies with anomaly action rules.

The following anomaly watchlists are provided by Splunk UBA:

  • Anomaly Watchlist
  • False Positive
  • Important
  • Reviewed
Applications Add apps one at a time from the Apps Review page. One watchlist named App Watchlist is provided by Splunk UBA.
Devices Add devices one at a time from the Devices Review or Device Details page. One watchlist named Device Watchlist is provided by Splunk UBA.
Domains Add domains to a watchlist by starting with threat details, then viewing any domain page such as Domain Facts, Domain Threats, or Domain Anomalies. One watchlist named Domain Watchlist is provided by Splunk UBA.
Threats Add threats one at a time from the Threats Review or Threat Details page. The following threat watchlists are provided by Splunk UBA:
  • False Positive
  • Important
  • Reviewed
  • Save for Later
  • Threat Watchlist
Users Add users one at a time from the Users Review or User Details page. The following user watchlists are provided by Splunk UBA:
  • Departing Users*
  • High Risk Users*
  • New Users*
  • Privileged Users*
  • User Watchlist

Splunk UBA considers the watchlists marked by an asterisk (*) as high risk by default. Being in one of these watchlists is a factor for some threat models when generating user scores.

From the Anomalies Table or Anomalies Dashboard pages, you can filter the anomalies you want to see by specifying any combination of watchlists. For example, you can create a filter to view only anomalies that belong to both a specific anomaly watchlist and also a domain watchlist.

View a summary of the watchlists in Splunk UBA

You can view a summary of the watchlists in your Splunk UBA deployment by selecting Manage > Watchlists.
This screen image shows the Watchlists page in Splunk UBA. The elements on the page are described in the text immediately following this image.

  • Create a new watchlist be selecting the watchlist type, the clicking New Watchlist. For example, to create a new user watchlist, select User Watchlists and click New Watchlist.
  • Delete a watchlist by selecting the watchlist you want to delete, then select Action > Delete. Splunk UBA's default high-risk user watchlists cannot be deleted.
  • Edit the name or description of a watchlist be hovering over the watchlist name, then clicking the edit (The edit icon.) icon.

To view the contents of a watchlist, click on the number of entities shown in the table. In this example, we see the number 2 in the Anomalies column for the Anomaly Watchlist watchlist. Click on the number 2 to view all of the anomalies in the Anomaly Watchlist watchlist.

Example: Use a watchlist to investigate a group of users for suspected data exfiltration

In this example, we will do the following:

  1. Identify a group of users who are suspected of moving data outside the company and place them on a watchlist
  2. Create a new anomaly action rule so that if any additional anomalies are generated against these users, put the anomaly into an anomaly watchlist for immediate processing.

Create a new user watchlist

Perform the following tasks to create a new user watchlist:

  1. In Splunk UBA, select Manage > Watchlists.
  2. In the list of watchlist types, select User Watchlists.
  3. Click New Watchlist.
  4. In the New User Watchlist window, enter the watchlist name Data Exfiltration.
  5. Click OK.

Filter users to add to the watchlist

Next, we will filter a group of users to add to the new watchlist.

  1. In Splunk UBA, select Users on the home page or select Explore > Users.
  2. Select Add Filter, scroll down and select Anomaly Categories, then select Exfiltration.
  3. We only want to consider users in the top half of the risk percentile. Select Add Filter, scroll down to and select Anomaly Risk Percentile, then configure the value to be >= 50.

After applying the filters to the users in the system, there are six users who match.

This screen image shows the user table after anomaly category and anomaly risk percentile filters have been applied. There are six users listed with varying user scores ranging from 6 to 2.

Add each user to the watchlist

Add each user to the Data Exfiltration watchlist.

  1. Click on the first user in the table.
  2. On the User Facts page, click Watchlists and select Data Exfiltration to add the user to the Data Exfiltration watchlist.
  3. Click back in your browser to return to the user table.
  4. Repeat this procedure until all users are added to the watchlist.
  5. On the user table, click the small gear icon on the right side of the table. In the Add/Remove Columns window, scroll down and select User Watchlists.
  6. Click OK.

The user table now shows a Watchlists column, with the names of the watchlists that each user belongs to.

This screen image shows the user table after anomaly category and anomaly risk percentile filters have been applied, and all users have been added to a watchlist. There is a column named Watchlist with the watchlist name "Data Exfiltration" appearing in each row.

The 10000 (Deleted) notation for the first user means that he was placed on a different watchlist, but the watchlist was deleted.

Create an anomaly action rule involving the users in the user watchlist

Now, we will create an anomaly action rule so that when additional exfiltration anomalies are generated against these users, the anomalies are placed into the Important anomaly watchlist provided by Splunk UBA for immediate attention.

  1. In Splunk UBA, click Anomalies from the home page or select Explore > Anomalies.
  2. Click the anomaly rules icon.
  3. Click New Anomaly Action Rule.
  4. On the Rule Action page:
    1. Select Add Anomalies to Watchlist and select Important from the drop-down list in the Rule Action section.
    2. Select Apply to Future Anomalies in the Rule Scope section.
    3. Click Next.
  5. On the Anomaly Filter page:
    1. In the Anomalies section, select Anomaly Categories then select Exfiltration.
    2. Int he User section, select User Watchlists, then select Data Exfiltration.
    3. Click Next.
  6. On the Rule Properties page, specify Data Exfiltration as the rule name.
  7. Click OK.

The new rule can be see at the top of the Anomaly Rules page.

This screen image shows the anomaly action rules page. The new Data Exfiltration rule appears at the top of the table and is highlighted.

Example: VirusTotal watchlist

Running the VirusTotal script included with Splunk UBA creates a watchlist containing external IP addresses and domains in Splunk UBA that match VirusTotal.

See Configure the VirusTotal script to see VirusTotal anomalies in Splunk UBA.

PREVIOUS
Create a custom dashboard
  NEXT
Identify data exfiltration by a suspicious user or device

This documentation applies to the following versions of Splunk® User Behavior Analytics: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 5.0.0, 5.0.1, 5.0.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters