Skip to main content
Machine Learning in Splunk
Behavioral Analytics


Splunk Behavioral Analytics (BA) will introduce the first cloud-native behavioral analytics features to Splunk’s security portfolio.

Behavioral Analytics capabilities for Security Cloud will be features that are embedded and accessed via Splunk Mission Control. 

Behavioral Analytics:

Behavioral Analytics (BA) solutions build standard profiles and behaviors of users and entities (hosts, applications, network traffic, and data repositories) across time and peer group horizons. Analytics are married with security use cases to find deviations from the norm to identify suspicious and malicious behavior. BA provides a user an entity-centric view of an organization’s security posture to allow analysts to see the whole story and make the connection between disparate alerts to discover threats and potential incidents.

What Problem Are We Trying To Solve?

Identifying and stopping sophisticated attacks requires advanced artificial intelligence (AI) and machine learning across all enterprise data. Current approaches leave data hidden in silos across companies and security infrastructure, limiting the effectiveness of analytics.

To provide the most accurate analytics, Splunk offers a data sharing feature for (not an all-inclusive list):

  • Troubleshooting errors when data is not formatted as expected
  • Troubleshooting detection with high false rates
  • Identifying new trends in security threats by targeted industry
  • Developing new security analytics that has efficacy across customers
  • Tuning and rationalizing machine learning models and algorithms
  • Constantly learn from new data sources to evolve our analytics for defense
  • Apply advanced AI and machine learning with cloud-scale data and compute
Frequently Asked Questions

What is machine learning?

Machine learning is a term that describes how a computer analyzes data and then makes predictions or provides suggestions based on what it learns from that data. It is used to improve and deliver many of the products and services you interact with every day

A common example of machine learning is an email application that automatically moves messages to your spam folder. The application analyzes the data included in your emails and predicts, from the patterns it discovers, the likelihood that messages are unwanted spam. It then takes action based on that prediction and moves certain messages out of your Inbox and into your spam folder.

When you tag a message as spam, the application learns from that and continually improves its accuracy of automatically flagging spam mail. The more data that is analyzed by the application, the better the application becomes at a particular task. This process of improving through experience is an example of machine learning.

What are the benefits?

At Splunk, we use machine learning development to improve our products and services which allows us to deliver innovative and cutting-edge solutions.

We also use machine learning-enabled features to help you be more efficient and effective. For example, we may use machine learning-enabled features to tune our algorithms that power detection rules to reduce the false-positive rate without increasing the false-negative rate. Reducing the false positives allows you to focus on the alerts that truly matter and pose a risk to your organization.

Long term, we may use machine learning-enabled features to make content-aware suggestions. For example, if you are working on a security investigation within a notable, Splunk might automatically suggest what action to take next. This type of content-aware suggestion can help improve efficiency and effectiveness in investigations by learning from what activities security professionals usually take. Suggestions such as these empower your workforce without additional training.

What data is being used?

We may analyze your log data. The log data can include all fields in your raw logs that are being sent to Splunk. We may use your log data to train and improve our algorithms. We may use the aggregated insights we obtain from machine learning to improve our products and services. The data is retained for 90 days.

When your data is used for machine learning development, it is always segmented from other organizations’ data. It is used to improve our algorithms which in turn improves the accuracy and efficiency of our products. At all times, your data is kept confidential, and your privacy is maintained in accordance with our Privacy Policy. We do not include any of your data in our products or features. If you would prefer that Splunk not use your data for these purposes, you can opt out of machine learning development at any time.

In the limited circumstances described below, we may manually review your content to train and improve the algorithms leveraged by our products and services. For example, we may manually identify an issue if you open a support case. Your data would be used to determine the root cause, enabling us to improve our algorithms to provide more accurate detections. For more information, see What data is manually reviewed?

How will you protect my privacy?

Splunk takes your privacy seriously. Your privacy is maintained during machine learning development, and none of your data is included in any of our products or features. The insights obtained through machine learning will not include personal information or information directly attributable to your organization, such as IP address, user names, domains. Our manual review process includes safeguards to help protect your privacy. We only manually review your content at your request. If you submit non-public content for manual review, we do so only in secure facilities with personnel subject to confidentiality requirements and privacy training. For more information, see What data is manually reviewed?

What data is manually reviewed?

During troubleshooting or day-to-day use of our product, it is not uncommon for a customer to question the results of an analytic or machine learning algorithm. When questions like this arise, it is not unusual for customers to request a manual review of their raw log samples, metadata, or analytic result. Customers can submit data for manual review via a support request or programmatically through the product. We only manually review your data for one of the following reasons:

  • You requested a manual review.
  • Spunk requested permission and you grant access.

Can I turn it off (opt-out)?

Yes. If you do not want Splunk to analyze your data using machine learning to improve our products and services, you can opt-out at any time by opening a support ticket asking to opt-out of the “Customer Data Usage Program”.

Am I eligible to use Behavioral Analytics?

This feature is not available in the following compliant environments:

  • FedRamp M
  • IL5
  • PCI