Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

Download manual as PDF

Download topic as PDF

Delete threats and anomalies

Threats and anomalies can be deleted in Splunk UBA by users with admin privileges. User risk scores are generated based on the anomalies and threats linked to the user. If you choose to delete threats and anomalies, you will affect these scores.

When a threat is deleted, Splunk UBA remembers the specific combination of anomalies contributing to the threat, and does not generate the threat again when the same combination of anomalies is encountered in the future. All existing user risk scores that were based on the deleted threat are adjusted.

You can also delete a threat if you realize that it is not a threat. In some cases, anomalies may be created that generate a threat but upon further investigation, the threat does not represent a real threat in your environment. For example:

  • If a department-wide password expiration, rather than brute force attack attempts, led to abnormal numbers of login failures and threat creation.
  • If atypical location behavior was observed for a user because someone is working remotely for a week

Sometimes, anomalies may be generated and upon investigation, deemed to have low value. The following examples represent situations where anomalies would be expected and thus have less value than cases where anomalies would not be expected:

  • If you have a penetration tester on your network, the tester's behavior can create anomalies that do not indicate a real threat to your environment.
  • If one employee takes on additional job roles to cover another employee's vacation or leave, the employee's out-of-the-ordinary behaviors can generate anomalies.
  • An employee works remotely temporarily from an area where your company has no offices.

You can delete these anomalies to prevent them from generating threats, and also to affect a desired change in user risk scores.

You can restore and view deleted anomalies, if they were deleted by accident or based on investigation details that are no longer accurate. After you delete anomalies, threats created by those anomalies can change or disappear. Similarly, after restoring deleted anomalies, new threats can be created or existing threats can change. User risk scores are also directly affected by deleting or restoring anomalies. See Splunk UBA adjusts threats after you take action on anomalies.

Delete threats in Splunk UBA

To delete a threat in Splunk UBA, perform the following tasks:

  1. Open the Threat Details for the threat.
  2. Select an Action of Not a Threat.
  3. Select a reason and optionally enter some comments about why you are deleting this threat.
  4. Click OK to delete the threat.

Deleting a threat removes it from Splunk UBA. When selecting a reason for deleting the threat, if you chose to whitelist entities involved in the threat (for example, whitelist one or more IPs or domains), the respective whitelist gets updated. This can affect any models that look for whitelisted IPs.

The audit logs in Splunk UBA are updated when a threat is deleted.

Delete anomalies in Splunk UBA

Deleting anomalies does not affect the data science models.

There are two ways to delete anomalies.

  • Move anomalies to the trash and potentially restore them at a later date.
  • Permanently delete anomalies.

Move anomalies to the trash

To move a single anomaly to the trash, perform the following tasks:

  1. Open the Anomaly Details for the anomaly that you would like to delete.
  2. Click Delete.
  3. Select Move to Trash.
  4. Click OK to confirm that you want to send the anomaly to the trash.

Move multiple anomalies from the anomalies table to the anomalies trash.

  1. Select Explore > Anomalies to open the Anomalies Table.
  2. Filter the anomalies to show only those you want to delete. For example, change the time selection and add a User Types filter of Accounts to show only account-based anomalies created more than 30 days ago.
  3. Click Actions > Delete Selected to delete all the anomalies shown.
  4. Select Move to Trash.
  5. Click OK to confirm that you want to delete the anomalies.

Permanently delete anomalies

To permanently delete a single anomaly, perform the following tasks:

  1. Open the Anomaly Details for the anomaly that you would like to delete.
  2. Click Delete.
  3. Select Delete Permanently.
  4. Click OK to confirm that you want to delete the anomaly permanently.

Permanently delete multiple anomalies from the anomalies table. After you delete an anomaly in this way, you cannot restore it.

  1. Select Explore > Anomalies to open the Anomalies Table.
  2. Filter the anomalies to show only those you want to delete. For example, change the time selection and add a User Types filter of Accounts to show only account-based anomalies created more than 30 days ago.
  3. Click Actions > Delete Selected to delete all the anomalies shown.
  4. Select Delete Permanently.
  5. Click OK to confirm that you want to delete the anomalies.

View and restore deleted anomalies

Review anomalies sent to the trash and restore anomalies sent to the trash in error from the Anomalies Trash view of the anomalies table.

  1. Select Explore > Anomalies.
  2. Select Actions > View Anomalies Trash.
    • To restore all anomalies previously sent to the trash, click Actions > Restore Anomalies.
    • To restore a selection of the anomalies previously sent to the trash, apply additional filters then click Actions > Restore Anomalies.
    • To restore a single anomaly sent to the trash, click the name to open the Anomaly Details view and click Restore from that view.

If necessary, you can review the IDs of permanently deleted anomalies in the /ruleengine/realtimeruleexecutor.log log file.

If you export anomalies to another system, such as Splunk Enterprise Security, an analyst can open a link to a deleted anomaly or an anomaly in the trash. You can still view and restore anomalies that have been sent to the trash, but you cannot review anomalies that have been permanently deleted. Following a link to a permanently deleted anomaly displays an error of "The requested anomaly could not be found."

Splunk UBA cleans up old anomalies in the trash

The AnomalyPurger process runs daily after Midnight and removes all anomalies in the trash more than 90 days old.

  • Configure the persistence.anomalies.trashed.maintain.days property to remove anomalies in the trash that are more or less than 90 days old.
  • When the process runs, batches of 300K anomalies are removed from the trash until until all anomalies in the trash are removed. Configure the persistence.anomalies.trashed.del.limit property to change the batch size as desired.

Limits for anomaly actions in Splunk UBA

Splunk UBA defines the following limits when taking action on anomalies, such as changing the score, moving to or removing from a watchlist, deleting anomalies, restoring anomalies from the trash, or any anomaly action rules affecting existing anomalies:

  • In 10 and 20 node clusters, you can perform a single anomaly action that includes up to 200K anomalies
  • In clusters of 7 nodes or fewer, you can perform a single anomaly action that includes up to 100K anomalies
Last modified on 07 January, 2020
PREVIOUS
Review current user activity
  NEXT
Investigate and monitor domains

This documentation applies to the following versions of Splunk® User Behavior Analytics: 4.3.1, 4.3.2, 4.3.3, 4.3.4, 5.0.0, 5.0.1, 5.0.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters