Splunk User Behavior Analytics
Operationalize threat intelligence
Detect Insider Threats and External Attacks
Modern day threats are either driven by external attackers or malicious insiders. The latter is hard to detect since traditional security products don’t focus on behavior, and sophisticated external attacks rely on new techniques and extended dormant timelines. To remedy this, next-generation security tools must analyze trillions of events over extended periods of time and employ a new detection philosophy based on behavior modeling and peer group analytics vs. a rule- or signature-driven approach.
Splunk UBA is an out-of-the-box solution built on a big data (Hadoop) platform that helps organizations find known, unknown and hidden threats. It uses a data science driven approach that produces actionable results with risk ratings and supporting evidence so SOC analysts and hunters can quickly respond to and investigate threats.
Splunk User Behavior Analytics:
- Detects insider threats and external attacks using out-of-the-box purpose-built, but extensible unsupervised machine learning (ML) algorithms
- Provides context around the threat via ML driven anomaly correlation and visual mapping of stitched anomalies over various phases of the attack lifecycle (Kill-Chain View)
- Increases SOC efficiency with rank-ordered threats and supporting evidence
- Supports bi-directional integration with Splunk Enterprise for data ingestion and correlation and with Splunk Enterprise Security for incident scoping, workflow management and automated response
Anomaly Review (User Centric)
A high level summary visualizing threats and anomalies found within the organization
along with stats on anomalous user, devices and applications.
Threat review screens assist with threat exploration by displaying the duration of the attack
as well as anomalies observed, compromised or malicious users, affected devices,
and anomalous applications stitched as part of the attack.
A user-centric view highlighting users or accounts along with their risk scores, anomalies and threats observed,
and a histogram comparison of their susceptibility as an external or insider risk.
A dashboard displaying aggregates and baselines computed across multiple entities
along with breakdowns on an entity level.
Splunk User Behavior Analytics Key Features
Machine LearningPurpose-built unsupervised machine learning algorithms provide high efficacy results in real time for effective incident response and threat hunting without the need for the algorithm to train or wait for user input.
Multi-Dimensional Behavior BaselineHistorical and real-time data assists with the creation of behavior baselines, which can identify outliers and provide visibility into organizational metrics.
Real-Time Threat Detection and VisualizationSelf-learning machine learning algorithms can automatically stitch anomalies together into threats and then visualize them over a kill chain for a SOC analyst’s response.
Bi-Directional Integration with Splunk Enterprise and Splunk Enterprise Security (Splunk ES)Seamless integrations with Splunk Enterprise for data ingestion along with real-time transfer of anomalies and threats into Splunk ES helps organizations gain visual insights into their security posture and automate workflows.
Splunk UBA Use Cases
Customers use Splunk UBA for the following use-cases:
Account Hijacking & Privileged Account Abuse
Cloud Application Compromise
Unusual Behavior: User, Device, & Application
Malware Detection & Lateral Movement
Available Workflows in Splunk UBA
Splunk® UBA maps threats and anomalies across a kill-chain to drive multiple workflows addressing the needs of an analyst and hunter.
Why Splunk for User Behavior Analytics?
Splunk UBA augments your existing security team and makes them more productive by finding threats that would otherwise be missed due to lack of people resources and time. Its powerful machine-learning framework, customization ability, and breadth of use cases helps organizations with the automated detection of known, unknown, and hidden threats. Splunk UBA addresses the entire lifecycle of an attack including insider threats and external attacks and provides customers with the ability to detect, respond and contain threats using Splunk Enterprise Security.