Understand data flow in Splunk UBA

• See Use connectors to add data from the Splunk platform to Splunk UBA for more information about the connector types.
• See How data gets into Splunk UBA for more information about how data gets ingested into Splunk UBA from the Splunk platform.
• See Use connectors to add data from the Splunk platform to Splunk UBA for instructions.

• Normalize device and domain names, and associate all accounts identified in your HR data with a single human user.
• Perform identity resolution to find the real-time association between IP addresses, host names, and users, and also maintain these associations over time.

You can also configure generic data sources to bring raw events into Splunk UBA. These raw events belong to the generic view and can also stored in data cubes and are processed for anomalies. See What is the custom use case framework? in Develop Custom Content in Splunk User Behavior Analytics.

• Streaming models analyze ingested data in real time and determine the impact of those events over a short time window, such as the past hour. Based on this analysis, streaming models can produce a multitude of items in Splunk UBA, such as anomalies, indicators of compromise (IoCs), or analytics data.
• Batch models and anomaly rules analyze ingested data over a larger time window, such as the last 24 hours, typically running overnight due to the need to process large amounts of data. All threat models in Splunk UBA run as batch models, taking into account the aggregation of data in Splunk UBA including the data cataloged by the streaming models. There are two types of batch models in Splunk UBA:
  • Rare event models generate anomalies by detecting unusual, rare, or first time activity.
  • Time series models generate anomalies by tracking specific activities over a period of time.

You can create new batch anomaly models or clone existing models using the custom use case framework. See What is the custom use case framework? in Develop Custom Content in Splunk User Behavior Analytics.

Anomalies are grouped into various categories such as Exfiltration, Infection, or Expansion. These categories typically correspond to stages of the kill chain and make it possible for your threat logic to place anomalies into the correct sections of the chain. Anomaly models also add metadata to anomalies. These metadata are specific to individual anomaly types and are used to filter the anomalies during investigation or anomaly hunting.

• You can use anomaly action rules in Splunk UBA to manage existing anomalies in the system as part of the anomaly creation flow. For example, you can delete or restore anomalies, modify the score, or add anomalies to a watchlist. See Take action on anomalies with anomaly action rules.
• You can also customize anomaly scoring rules to provide a level of control and consistency across specific anomaly types. See Customize anomaly scoring rules.

Anomalies have both types and categories. Types are specific descriptive names of anomalies, while categories are generic descriptions for anomalies. Multiple anomaly types can share a category, and one anomaly type can have multiple categories. Create an anomaly action rule or a custom threat with either anomaly types or anomaly categories, depending on how specific you want the rule or threat to be.

You can also create custom threat rules to identify verifiable threats in your network, like specific activities that you want to monitor for policy compliance. Create, edit, enable, and manage the custom threats that are most useful for your organization. You can create custom threats that apply to users, devices, or sessions. Several custom threats are included with Splunk UBA.

• Threat models take into account the aggregation of data in Splunk UBA, including the data cataloged by the streaming models, to generate threats. All threat models in Splunk UBA run as batch models.
• Threat rules generate threats by looking for specific anomaly patterns within a specific window of time. A threat is generated each time the anomaly pattern is found. Each rule runs on a pre-defined schedule, depending on the nature of the rule.

Threats can be computed in the following ways:

• Kill-chain threats examine all anomalies for a specific user or device for patterns that align with the kill-chain stages. Example kill-chain threats are Data Exfiltration by Suspicious User or Device or Data Exfiltration by Compromised Account.
• Graph-based threats are computed based on groups of similar anomalies rather than anomalies grouped by user or device. Example graph-based threats are Public-facing Website Attack or Fraudulent Website Activity.
• Data-driven threats collect data about anomalies and users or devices to determine the likelihood of a threat. Insider threats are computed by the data-driven computation process. Example data-driven threats are Lateral Movement and Data Exfiltration.
• Rule-based threats are raised from custom threat rules when a specific set of conditions are met. Example rule-based threats are Brute Force and Data Exfiltration after Data Staging.