Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

Identify data exfiltration by a suspicious user or device

You can use Splunk UBA to detect suspicious behavior by an insider, such as a current employee. Different combinations of anomalies can trigger the same threat in your environment. Review the threat and anomaly details to determine whether to take action in response to the identified behavior.

In the following example, review the anomalies that created the Data Exfiltration by Compromised Account threat.

Review current threats in your environment

Review the Threats Table to see the current makeup of threats in your environment:

  1. From the Splunk UBA home page, select Threats.
  2. Select the Data Exfiltration by Suspicious User or Device from in the list of threats on the left.
    This screen image shows the Threats Table page. The elements on this page are described in the surrounding text.
  3. Review the first threat in the list of threats because it has the highest risk score. This opens the Threat Details page.
    This screen image shows the Threats Details page for the Data Exfiltration by Suspicious User or Device threat. The elements on this page are described in the surrounding text.
    For more details on what this page includes, see Threats Details.
  4. In this case several anomalies caused Splunk UBA to identify this user account as a threat.
    • Flight Risk User
    • Suspicious Data Movement
    • Unusual Network Activity
    • Unusual Printer Usage

Gather threat details

Use the Threat Details page to better understand this threat.

  1. Review the timeline to see how long this threat has been active, and on what date it started. This specific threat has been active for 2 days (2d).
  2. View the specific anomalies that led Splunk UBA to identify this user account as an insider threat of suspicious behavior. The anomalies display on a timeline so that you can easily identify the sequence of anomalies that make up this threat. You can click an anomaly to learn more about it. See Anomaly Details.
  3. Select the Suspicious Data Movement anomaly. In this case, a file containing sensitive data or intellectual property was suspiciously accessed and renamed, triggering the anomaly.
    This screen image shows the Anomaly Details page for the Suspicious Data Movement anomaly. The elements on this page are described in the surrounding text.
  4. Return to the threat details to continue your information gathering.
  5. Identify the users and devices participating in the threat activity. In this case, the primary user account accessed files on a single internal device, identified by its host name.
  6. View the recommended next steps.
  7. Review the steps in the kill chain that exist for this threat to understand how large of a threat these activities pose to your environment.
    This screen image shows the Kill Chain for the Data Exfiltration by Suspicious User or Device threat. The elements on this page are described in the surrounding text.
  8. Review the map of the accessed devices to determine if suspicious behavior involved locations unaffiliated with your organization. Splunk UBA uses the IP addresses and directory information on assets in your environment to locate the devices.
  9. Compare the location of the user's main device with the locations of the accessed devices.

At this point, you can stop your investigation if you have found enough information to take action. If the user account is already known to your team, you may want to freeze their account or take other action immediately. If it is a new account or person, you might want to investigate further.

Investigate the threat further

If the user account associated with the threat is a newly suspicious user, you can investigate their activities in greater detail:

  1. On the Threat Details page, select the username of the person to learn more about them and their recent activities. This opens the User Facts page.
    This screen image shows the User Facts page for the example user Bruce Yeager. The elements on this page are described in the surrounding text.
  2. Review the threats associated with their account to determine if more threats are associated with their user account.
  3. Review recent data transfer and HTTP transfer events to determine whether data is being sent out of your organization.
  4. Review the User Activities Baseline to determine the sequence of activities that the user typically performs.
  5. Use the User Graph to determine which anomalies are associated with which device IP addresses. Click the device that has the most anomalies associated with it.
  6. Select Watchlists to add the user to a watchlist to monitor their actions more closely.
  7. Review the device details to determine whether additional threats, anomalies, or user accounts have been recently associated with this machine.
  8. Identify the risk levels of the user accounts and other Device Relations.
  9. Review the Device Score Trend to see if the device is historically associated with high-risk threats.
  10. Use the Device IP Information to learn more about an IP address external to your organization.

In isolation, these anomalies could represent typical user behavior, but in sequence, Splunk UBA identified them as comprising an Insider threat of Suspicious Behavior. With the information gathered in your investigation, you can take action to contain the threat.

Last modified on 06 December, 2023
Investigate Splunk UBA entities using watchlists   Splunk UBA models overview

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0,, 5.2.0, 5.2.1, 5.3.0, 5.4.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters