User Behavior Analytics Product Tour

Protect Against Insider Threats Using Machine Learning

Splunk User Behavior Analytics (UBA) is a machine learning-powered solution that delivers the answers you need to find unknown threats and anomalous behavior across users, endpoint devices and applications. It not only focuses on external attacks but also the insider threat. Its machine learning algorithms produce actionable results with risk ratings and supporting evidence that augment security operation center (SOC) analysts’ existing techniques for faster action. Additionally, it provides visual pivot points for security analysts and threat hunters to proactively investigate anomalous behavior.

Splunk User Behavior Analytics software:

  • Enhances detection footprint by using a behavior-centric, purpose-built and configurable machine learning framework that leverages unsupervised algorithms
  • Augments SOC analyst user and entity behavior analytics’ (UEBA) capabilities by automatically stitching hundreds of anomalies into a single threat 
  • Provides enhanced context by visualizing threats across multiple phases of the attack
  • Supports bi-directional integration with Splunk Enterprise for data ingestion and correlation and with Splunk Enterprise Security (ES) for incident scoping, investigation and automated response
Get Started
  • Product Brief Splunk User Behavior Analytics
  • Technical Brief Using Splunk® User Behavior Analytics
  • Splunk UBA Use Case Insider Threats
  • Splunk UBA Use Case External Threats
  • Splunk UBA Animation Video
    Detect External Attacks and Insider Threats

Splunk User Behavior Analytics Key Features

big data foundation

Big Data Foundation (Hadoop, Spark and GraphDB)

Built using big data foundation, Splunk UBA horizontally scales to process billions of events per day and supports analysis of hundreds-of-thousands of organizational entities. 
machine learning

Unsupervised Machine Learning

Purpose-built, unsupervised machine learning algorithms generate less false positives, offer broad coverage and produces high-confidence results, which help with incident response and threat hunting.
multi dimensional behavior baseline

Multi-Dimensional Behavior Baseline

Historical and real-time data assists with the creation of behavior baselines such as probabilistic suffix trees, counts over multiple time-series and more — which helps with identifying outliers and provides visibility into organizational metrics. 
threat review and exploration

Custom Threat Generation

Customize the underlying machine learning framework to stitch anomalies of interest and address custom use cases via fine grain controls. 

User Monitoring & Watch List

Monitor users and their activity using custom widgets or on-the-fly watch lists for quick and easy access.

Anomaly Suppression & Scoring

Prioritize detected anomalies by applying custom scores and suppress triggered anomalies to attain higher fidelity threats.

Bi-Directional Integration With Splunk Enterprise and Splunk Enterprise Security

Seamless integrations with Splunk Enterprise for data ingestion, coupled with real-time transfer of anomalies and threats into Splunk Enterprise Security, helps organizations with high-fidelity alerts gain visual insights into their security posture and automate response. 

Splunk User Behavior Analytics Security Use Cases

Customers use Splunk UBA for the following use cases:

Detect Data Exfiltration
Quickly identify evidence of data exfiltration from assets or users within an organization including focus on data loss prevention (DLP) alerts, cloud access security broker (CASB) logs, network traffic data or both.
Insider Access Abuse, Including Privilege Abuse
Identify users — both employees and trusted third parties — abusing privileges leading to excessive or unauthorized access to data or even abuse of system privileges.
Providing Context & Information for Investigations
Provide information from user and entity behavior analytics, anomalies and threats to perform alert triage and incident investigations.
Detect Compromised Endpoint
Identify network endpoints that have been compromised, infected by malware or are otherwise behaving suspiciously and gain insights into misuse or abuse of applications.
Custom Use Case
Write new use cases by custom stitching anomaly models along with overlaying your own risk scores and remediation actions.

Available Workflows in Splunk User Behavior Analytics

Splunk UBA maps threats and anomalies across a kill-chain to drive multiple workflows addressing the needs of security analyst.
Anomaly Exploration
Fully automated and customizable anomaly detection framework enables a hunter to explore machine learning outcomes, identify key violations and find suspicious patterns.
Threat Detection
Fully automated and customizable threat detection framework addresses insider threat and custom use cases such as privileged account abuse, lateral movement, suspicious behavior and more
Network Behavior Analysis
Gain insights into user and entity activity, peer groups, insider and external risk percentiles and more.

Two Premium Solutions Working Together

By combing Splunk ES and Splunk UBA, organizations gain maximum value to detect and resolve threats and anomalies via the power of human-driven and machine-driven solutions.

Why Splunk for User and Entity Behavior Analytics?

Splunk UBA augments your existing security team and makes them more productive by finding threats that would otherwise be missed due to lack of people, resources and time. Its powerful machine-learning framework, customizability and breadth of use cases helps organizations with the automated detection of unknown threats and anomalous behavior. Splunk UBA seamlessly integrates with Splunk Enterprise and Splunk Enterprise Security to help with end-to-end incident or breach resolution.

Still Have Questions?