Creating risk notables using the behavioral analytics service
Leverage the supported detections to transform anomalies in the behavioral analytics service to risk notables in Splunk Enterprise Security. Converting these anomalies into risk events lets you avoid false positives but still address all potential risk within your security environment. You can also correlate the specific detections in behavioral analytics service with risk objects to set risk thresholds.
Risk factors defined in Splunk Enterprise Security adjust or weigh risk scores associated with specific risk objects based on certain conditions. The same entities in behavioral analytics service reflect the defined risk factors so that the entity risk levels are similar, even if the risk scores are on different scales. As a result, no duplicate notables get created when you leverage behavioral analytics service for risk detection within Splunk Enterprise Security. You can also identify the originating event that generated the risk event within Splunk Enterprise Security.
Notables generated by behavioral analytics service get sent through a pipeline into the risk index in Splunk Enterprise Security using the same Common information Model (CIM) field mappings. The field mappings provided in the following table indicate how the specific fields in behavioral analytics service detections get converted to risk events in Splunk Enterprise Security. Use these field correlations to make adjustments to risk factors and adjust the risk scores for events generated by the behavioral analytics service.
These field mappings conform to the fields in the Risk Analysis data model that describes the data generated by the risk framework in Splunk Enterprise Security. For more information on the fields in the Risk Analysis data model, see Risk Analysis data model fields.
To file a ticket on the Splunk Support Portal for help with field mappings, see Support and Services.
| Behavioral analytics service detection | Splunk Enterprise Security risk event | Example of field value |
|---|---|---|
| detection_name | search_name |
search_name="BA - Detect Dump LSASS Memory using comsvcs - Rule"
|
| entity_id | risk_object |
risk_object="device001"
|
| entity_type | risk_object_type |
risk_object_type="system"
|
| risk_score | risk_score |
risk_score=70
|
| cis_controls
nist_categories kill_chain_phases mitre_technique_ids | annotations |
annotations={cis20:[""], kill_chain_phases:["Exploitation"], nist=["PR.DS","PR.IP"], mitre_attack=["T1489"]}
|
| detection_id | detection_id*
This is an additional field, which is not included in the risk event schema. |
detection_id="76bb9e35-f314-4c3d-a385-83c72a13ce4e"
|
| detection_version | detection_version*
This is an additional field, which is not included in risk event schema. |
version=2
|
| start_time | info_min_time |
info_min_time=1647574000
|
| end_time | info_max_time |
info_max_time=1647575000
|
Other fields generated by the detection such as cmd_line, parent_process_name
| Same as in detection*
This is an additional field, which is not included in the risk event schema. |
cmd_line="c:\windows\system32\cmd.exe"
|
See also
For more information on using behavioral analytics service in Splunk Enterprise Security, see the product documentation.
Use behavioral analytics service with Splunk Enterprise Security 7.1.0 or higher
Enable behavioral analytics service on Splunk Enterprise Security