Splunk User Behavior Analytics
Security Through User and Entity Behavior Analytics
Protect Against Insider Threats Using Machine Learning
Splunk User Behavior Analytics (UBA) is a machine learning-powered solution that delivers the answers you need to find unknown threats and anomalous behavior across users, endpoint devices and applications. It not only focuses on external attacks but also the insider threat. Its machine learning algorithms produce actionable results with risk ratings and supporting evidence that augment security operation center (SOC) analysts’ existing techniques for faster action. Additionally, it provides visual pivot points for security analysts and threat hunters to proactively investigate anomalous behavior.
Splunk User Behavior Analytics software:
- Enhances detection footprint by using a behavior-centric, purpose-built and configurable machine learning framework that leverages unsupervised algorithms
- Augments SOC analyst user and entity behavior analytics’ (UEBA) capabilities by automatically stitching hundreds of anomalies into a single threat
- Provides enhanced context by visualizing threats across multiple phases of the attack
- Supports bi-directional integration with Splunk Enterprise for data ingestion and correlation and with Splunk Enterprise Security (ES) for incident scoping, investigation and automated response
Kill Chain View
Peer Group Visualization
User Risk Scoring & Monitoring
Anomalies With Categories
Threats with Categories
Integrated Incident Visualization
A high level summary visualizing threats and anomalies found within the organization
along with stats on anomalous user, devices and applications.
Visual exploration of an attack with details such as attack duration, entities involved, observed anomalies categorized over intrusion phase, expansion phase and exfiltration phase of the kill chain.
View of dynamic peer groups computed using behavioral analytics, Active Directory and organization structure highlighting similar users and outliers.
A dashboard displaying aggregates and baselines computed across multiple entities along with detailed breakdown at the entity level.
Monitor users and filter them via multiple risk scores such as insider risk percentile, external risk percentile, number of anomalies, number of threats and an overall user score.
Over 45 anomaly categories are available out-of-the-box — including Unusual Network Activity, Suspicious Data Movement, Unusual Activity Time and others — each of which can be custom scored for prioritization and suppressed for effective hunting and threat generation. All anomalies are triggered via machine learning algorithms.
Over 20 threat categories are available out-of-the-box — including Data Exfiltration, Lateral Movement, Compromised Account, Suspicious Behavior and others — which can be custom scored for prioritization. Customers can write their own use cases (threats) by directing the machine learning framework on what anomalies to stitch together and how. All threats are generated via machine learning algorithms.
Observe activities of threat actors in ES via UBA Asset & Identity Associations, view UBA generated anomalies and threats along with other Swimlane indicators in Asset Investigator, and refer to a dedicated UBA dashboard with additional details.
Splunk User Behavior Analytics Key Features
Unsupervised Machine LearningPurpose-built, unsupervised machine learning algorithms generate less false positives, offer broad coverage and produces high-confidence results, which help with incident response and threat hunting.
Multi-Dimensional Behavior BaselineHistorical and real-time data assists with the creation of behavior baselines such as probabilistic suffix trees, counts over multiple time-series and more — which helps with identifying outliers and provides visibility into organizational metrics.
Custom Threat GenerationCustomize the underlying machine learning framework to stitch anomalies of interest and address custom use cases via fine grain controls.
User Monitoring & Watch ListMonitor users and their activity using custom widgets or on-the-fly watch lists for quick and easy access.
Anomaly Suppression & ScoringPrioritize detected anomalies by applying custom scores and suppress triggered anomalies to attain higher fidelity threats.
Bi-Directional Integration With Splunk Enterprise and Splunk Enterprise SecuritySeamless integrations with Splunk Enterprise for data ingestion, coupled with real-time transfer of anomalies and threats into Splunk Enterprise Security, helps organizations with high-fidelity alerts gain visual insights into their security posture and automate response.
Splunk User Behavior Analytics Security Use Cases
Customers use Splunk UBA for the following use cases:
Detect Data Exfiltration
Insider Access Abuse, Including Privilege Abuse
Providing Context & Information for Investigations
Detect Compromised Endpoint
Custom Use Case
Available Workflows in Splunk User Behavior Analytics
Splunk UBA maps threats and anomalies across a kill-chain to drive multiple workflows addressing the needs of security analyst.
Network Behavior Analysis
Two Premium Solutions Working Together
By combing Splunk ES and Splunk UBA, organizations gain maximum value to detect and resolve threats and anomalies via the power of human-driven and machine-driven solutions.
Why Splunk for User and Entity Behavior Analytics?
Splunk UBA augments your existing security team and makes them more productive by finding threats that would otherwise be missed due to lack of people, resources and time. Its powerful machine-learning framework, customizability and breadth of use cases helps organizations with the automated detection of unknown threats and anomalous behavior. Splunk UBA seamlessly integrates with Splunk Enterprise and Splunk Enterprise Security to help with end-to-end incident or breach resolution.