Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

VPN login related anomaly detection models

Splunk UBA version 5.3.0 includes two new VPN login related anomaly detection batch models:

Model name Description Tables used Anomalies generated
Abnormal VPN Session Associated with Rare Location Detects abnormal VPN session associated with rare login geolocation. semiaggr_s, windowsevents, fileaccess_s Abnormal VPN Session From Rare Location
Changepoint Model for VPN Location of Authentication Events Detects location changepoint in VPN authentication events. semiaggr_s VPN Location Changepoint

Abnormal VPN Session Associated with Rare Location

The model finds unusual patterns of activities on the same day of VPN logins, and determines whether the corresponding login is abnormal. The following diagram shows the detection logic of the model:

This image shows a diagram of the detection logic of the Abnormal VPN Session Associated with Rare Location model follows.

This Abnormal VPN Session Associated with Rare Location model is designed to detect abnormal VPN sessions through pattern mining of post-VPN login activity sequence.

This model is computationally expensive and might take a long time to run. You can tune the model parameters such as memory, which defines the length of historical data to train the model. The smaller the value, the less computation resources are used. You can also tune the anomalyScoreThreshold, which defines the threshold of frequent patterns to be considered as anomalous. The larger this value, the less computation resources are used.

The model uses the following data fields from semiaggr_s cubes to form behavioral sequence for pattern mining:

  • Number of events (numEvents)
  • Event Description (evcls)
  • Source User Identification Number (sourceUserId)
  • Source Country (sourceCountry)
  • Source City (sourceCity)
  • Destination Country (destinationCountry)
  • Destination City (destinationCity)

Standard configuration also includes two supportive fields from another two cubes that manifest user or entity behaviors after VPN logins:

  • Event ID (eventId) from cube windowsevents
  • Service Name (serviceName) from cube fileaccess_s

If data sources to generate these two cubes are not available, the pre-defined supportive fields are automatically ignored by the model. The model does not assume a specific event ID, or specific service to be abnormal or a threat. Instead, the model mines the frequent patterns of occurrence of these fields, in addition to the feature fields in semiaggr_s cube to detect unusual events.

This model has the capability to detect unknown threats. You can re-define the supportive fields by modifying, removing, and adding fields based on available data sources in your environment. The definition of any customized supportive fields can be placed in the /etc/caspida/local/conf/modelregistry/offlineworkflow/ModelRegistry.json file. The number of supportive fields is not restricted but is dependent on the computation capacity (memory and run time). Each supportive field must be defined as a fixed three item tuple, including the cube name, ID to match user identification, and indicator field as shown in the following example:

  "models" : [
      "name": "Abnormal_VPN_Session_Model",
      "params":  {"supportiveFeatureList": 
["windowsevents", "sourceUserId", "eventId"], 
["fileaccess_s", "originatingUserId", "serviceName"]

The anomaly detected by this model is named as Abnormal VPN Session From Rare Location. You can select a detected anomaly from the Anomalies Table and navigate to a detailed view and shown in the following image:

This image shows an example of the detailed view you can see on the Anomalies Table.

The detailed view shows why this anomaly is flagged and includes the following information:

  • Summary of the account associated with anomaly
  • VPN origin and destination country/city
  • VPN Events of the event(s) associated with this VPN session
  • Rare Values and Associations of up to three rare values or activities associated with VPN events

Changepoint Model for VPN Location of Authentication Events

This model detects the changepoint of VPN login geolocations. The model finds a changepoint by tracking the average value of the ratio between unique source points and servers, as an indicator of abnormal geolocation login from a user. Geolocation is represented by IP address differences, the accuracy of which is dependent upon updates to the IP address mapping database. By default the model looks back at one month of historical data to evaluate changepoints.

The model uses semiaggr_s cube as the data source. The anomaly detected by this model is named as VPN Location Changepoint. Each anomaly is illustrated its support evidence starting with a summary description as shown in the following image;

Lorem ipsum...

In addition to regular time-series related anomaly analytics fields and drilldown data, other support evidence in the investigation page include the following:

  • Login user ID
  • Source country of authorization
  • Event description
Last modified on 15 August, 2023
Lateral Movement model   Time-series models

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.3.0, 5.4.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters