Exploring Entity Behavior Beyond Logs on the Splunk Platform
Searching for bad actors within your organization can be challenging, like trying to find a needle in a haystack. To uncover these bad actors, we can utilize anomaly detection using the Splunk Platform (specifically Splunk Cloud Platform or Splunk Enterprise). By leveraging lookups, averages, and standard deviations, we can create behavior profiles and accurately identify outliers.
Anomaly detection involves analyzing data to identify deviations from normal behavior. User and entity behavior analytics (UEBA) rely on anomaly detection to pinpoint outliers among users and entities like IP addresses, hosts, and applications.
There are two types of anomaly detection: entity-based and peer-based. Entity-based anomaly detection identifies deviations from an entity’s typical behavior, while peer-based anomaly detection compares an entity’s behavior to its peer group. These baselines are established using historical data to identify unusual occurrences.
For example, downloading an abnormally large amount of data from Google Drive signifies an entity-based rare event.
UEBA tools offer machine learning and anomaly detection capabilities. While this method using SPL and lookups in Splunk Platform provides UEBA-like features, it’s essential to clarify that it’s not a native UEBA solution like Splunk UBA. This blog focuses on entity-based anomaly detection.
Entity-Based Anomaly Detection – Rare Events
To detect rare events, we can construct behavior profiles for employees by running specific searches in Splunk. The output is stored in a lookup file for monitoring and analyzing user behavior.
Sourcetype="cloudtrail_json" eventName=ConsoleLogin
...
Setting up alerts to monitor user behavior in real-time is crucial to detect anomalies quickly.
Sourcetype="_json_blogl" eventName=ConsoleLogin
...
Scheduling regular searches helps in monitoring and maintaining behavior profiles.
With the implemented alert system, any unusual activity can be promptly detected, such as users authenticating from unusual locations.
Entity-Based Anomaly Detection – Unusual Spikes
Behavior-based anomaly detection can also identify unusual spikes in activity, indicating potential security threats. Constructing baselines for users and monitoring deviations from these baselines helps in detecting suspicious behavior.
Sourcetype="XmlWinEventLog" EventID=4625
...
Regularly updating baselines and adjusting alert parameters can enhance the accuracy of anomaly detection.
Baselines are calculated based on historical data and stored in lookup files for reference.
Setting up correlation searches can help in triggering alerts for unusual spikes in activity compared to baseline behavior.
Sourcetype="XmlWinEventLog" EventID=4625
...
Continuously monitoring user behavior for anomalies is essential in maintaining security and operational efficiency.
Best Practices
- Utilize keywords and filters to enhance search performance.
- Maintain up-to-date behavior profiles and baselines.
- Implement alert suppression to prevent duplicate alerts.
- Consistently name searches and lookup files for easy tracking.
- Refine baselines and searches for optimal results.
By leveraging UEBA within the Splunk Platform, organizations can enhance security measures and optimize operational efficiency. Empower yourself with data analytics to make informed decisions and strengthen cyber resilience.
If this approach does not meet your needs, consider using Splunk UBA for advanced anomaly detection capabilities.
