Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

Splunk UBA models overview

Splunk User Behavior Analytics (UBA) focuses on tracking user behaviors, with devices and applications as the primary entities. UBA aggregates ingested events, storing them in a scalable "analytics" store to reduce raw events. The aggregation granularity and retention period is configurable.

UBA uses unsupervised machine learning to profile normal behavior for each identity and asset, and then looks for unusual behavior patterns across those identities and assets. To help ensure your analysts are able to focus on critical threats that pose the greatest risk to the organization, once UBA identifies anomalies, it again uses machine learning models and looks for unusual patterns in the captured anomalies. These anomalies indicate a High Fidelity Threat.

UBA models generate anomalies, threats, or indicators of compromise. Anomalies are generated by the streaming models, batch models, and anomaly rules. Anomalies provide you with threat evidence. Threats in UBA are what you can base your actions on. Batch models operate on aggregated events, providing re-computation on training and scoring over a sliding data window. You can establish your own policy for model retraining in support of large deployments.

What are anomalies?

Anomalies are notable findings in the data, including deviations from typical user behavior, or the detection of interesting patterns, such as beaconing. Anomalies vary in scope and complexity, ranging from highlights of a useful alarm as generated by an external product, a security endpoint solution or a firewall, to a data exfiltration attempt requiring advanced statistical and machine learning models to detect.

Anomalies have both types and categories:

  • Types are specific descriptive names of anomalies.
  • Categories are generic descriptions for anomalies.

Multiple anomaly types can share a category, and one anomaly type can have multiple categories. For example, Anomalies can be grouped into various categories such as Exfiltration, Infection, or Expansion.

A Splunk UBA operator can view anomalies and take further action on that anomaly as needed.

What are threats?

A threat is a collection of one or more anomalies that form a clearly defined security use case, such as Data Exfiltration. Threats are often correlated with indicators of compromise (IoC) and other supporting evidence to provide a detailed description of a series of events.

Threats can be computed in different ways. For example, Kill-chain threats examine all anomalies for a specific user or device, looking for patterns that align with kill-chain stages. Examples of kill-chain threats are Data Exfiltration by Suspicious User or Device and Data Exfiltration by Compromised Account.

Graph-based threats are computed using groups of similar anomalies rather than anomalies grouped by user or device. Examples of graph-based threats are Public-facing Website Attack and Fraudulent Website Activity.

What are peer groups and entity profiling?

Within UBA, several models follow the concept of peer groups and entity profiling. There are four primary types of peer groups:

  • Human Resources peer groups combine Active Directory (AD) groups and management chains.
  • Organizational Unit (OU) peer groups are constituted based on organizational units.
  • Behavioral peer groups are formed by clustering behavioral patterns.
  • Device peer groups are defined by the network activity of device groups.

Entity profiling includes both user and device profiling, constructed through the analysis of user and device properties as derived from AD activity.

Types of UBA models

The following types of models are supported in Splunk UBA:

Batch models

Batch models and their associated anomaly rules operate on accumulated data stored in the UBA analytical store. Batch models analyze ingested data over a larger time window, such as the last 24 hours. Batch models typically run overnight due to the need to process large amounts of data.

Some use cases such as beaconing, function in a mixed mode, where the streaming component identifies "events of interest," which may subsequently be converted into anomalies by offline components.

To learn more, see Batch models.

Security analytics models

UBA provides models that can establish a security context and compute security analytics. These models use an array of detection algorithms for security use cases. To further enhance the quality of these models, the algorithms re-score anomalies by refining anomaly action and score rules. This includes ranking both internal and external users, and providing more personalized detection with threat rules, watchlists, allow and deny lists, and dashboards.

You can use anomaly action rules to manage existing anomalies. For example, you can delete or restore anomalies, modify the score, or add anomalies to a watchlist. You can also customize anomaly scoring rules to provide a level of control and consistency across specific anomaly types.

Streaming models

Streaming models process every event as it comes, which is valuable for use cases where the sequence and timing of events is crucial. Streaming models analyze ingested data in real time, and determine the impact of that data over a short time window, such as the past hour. Streaming models can generate anomalies, indicators of compromise (IoCs), or analytics data in UBA.

Threat models

Threat models are based on the data and anomalies in the system. Threat models take data aggregation into account, including the data cataloged by the streaming models, to generate threats. All threat models in Splunk UBA run as batch models.

UBA threat rules can generate threats by looking for specific anomaly patterns within a specific window of time. A threat is generated each time the anomaly pattern is found. Each threat rule runs on a predefined schedule, depending on the nature of the rule.

You can create custom threat rules to identify verifiable threats in your network, such as specific activities that you want to monitor for policy compliance. Custom threats can apply to users, devices, or sessions. Several custom threats are included with Splunk UBA. Create, edit, enable, and manage the custom threats that are useful for your organization.


Last modified on 15 August, 2023
Identify data exfiltration by a suspicious user or device   Batch models

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.3.0, 5.4.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters