Splunk User Behavior Analytics 4.2 Delivers User Feedback for Machine Learning Models and More

For those of you who joined us at .conf18 in Orlando, our keynote gave you a sneak peek into the new innovations across the Splunk security portfolio. Today we’re excited to announce the exciting new updates we have for Splunk User Behavior Analytics (UBA) in our 4.2 release, now generally available.

As a quick refresher, with nearly half of security breaches coming from malicious insiders and the shortage of security staff, Splunk UBA extends the power of Splunk Enterprise Security—the industry-leading SIEM—by helping analysts leverage machine learning to detect unknown threats and find insider threats and anomalous user behavior.

What’s New in Splunk UBA 4.2

With Splunk UBA 4.2, we’re delivering even more value to you with new capabilities that include:

• User Feedback for machine learning models provides anomaly customization and improved threat detection accuracy
• Improved data ingestion performance by up to 10x, with the new Splunk-to-Kafka UBA ingestion connector
• Native single-sign-on authentication support for multiple identity providers Okta, Microsoft ADFS and Ping Identity

User Feedback for Machine Learning Models

We know your organization is special—whether you’re in financial services, healthcare or tech, you all have a different interpretation of what constitutes an anomaly in your world. So now with User Feedback, we’re empowering you to provide direct and granular feedback to individual UBA anomaly models by simply scoring the features in the model based on your organization’s processes, policies, assets, user roles and functions. Using the anomaly scoring rules (which are available per anomaly type), you can tune the individual feature criteria and thresholds up and down for each anomaly model—which will in turn affect the overall threat score of the encompassing threats and extend the feedback to actionable detections consumed by the SOC. User Feedback is a super powerful way for your SOC teams to customize the out-of-the-box content available in UBA.

Splunk-to-Kafka UBA Data Ingestion

Historically, when getting data from core Splunk into Splunk UBA, both results and events were sent from the indexers to the search head, which was less than ideal for high volume data sources. Now, with the new Splunk-to-UBA-Kafka Ingestion App, you can onboard Splunk data directly into the UBA Kafka messaging system. Enabling data onboarding directly from the indexers bypasses the search head delivering a faster and more reliable mechanism for data ingestion, and ultimately strengthens data quality for all our machine learning and rule-based detection models. Furthermore, Kafka ingestion does not require Splunk UBA to run real-time indexed search queries on core Splunk, but rather uses micro-batched queries.

Native Single-Sign-On Authentication Support

Splunk UBA 4.2 extends SSO authentication support to include more identity providers such as Okta and Microsoft ADFS. This is in addition to the existing UBA authentication support for Ping Identity. Splunk UBA admins, security analysts and users can now directly authenticate on Splunk UBA via Okta and ADFS SAML authentication, helping SOC and insider threat teams maintain compliant access controls across their Splunk security nerve center.

In case you missed out on some of the Splunk UBA sessions at .conf18, check out a few of these presentations from our customers and security specialists.

• Splunk User Behavior Analytics (UBA): Methods and Best Practices to Get Started Now
• Splunk UBA Tunes Down the Volume at Shentel
• Threat Hunting and Anomaly Detection With Splunk UBA
• Monitoring and Mitigating Insider Threat Risk With Splunk Enterprise and Splunk UBA
• Less Configuration, More Security: Automated Discovery of Asset and User Roles
• Defeating the Curse of “First-Time” Events With Machine Learning

Interested in Learning More?

The Splunk UBA 4.2 release also includes numerous other enhancements to the user experience and functionality of the platform. For more information on the latest enhancements available in Splunk UBA 4.2, please review the Splunk 4.2 Release Notes. Contact us to find out how our customers are detecting insider threats and how you can benefit from using a machine learning-driven, behavior detection solution.