Skip to content

Background

The Splunk App for Behavioral Profiling operates around the concepts of entities and behavioural anomalies:

  • An Entity is considered any mappable group of “things” represented in data which you wish to profile using the app. Examples include: customers, employees, business units, applications, servers, branches, etc.

  • A Behavioral Indicator Search is a scheduled search which tracks a behavior metric exhibited by the group of entities. It populates the index defined by the search macro indicator_index.

  • A Behavioral Anomaly is a deviation from expected behavior; either a difference between an entity and its peers, an entity and its historic behavior, or some combination of the two.

  • An Anomaly Scoring Rule is a scheduled search which determines which of the Behavioral Indicator values are considered behavior anomalies and assigns scores to them. It populates the index defined by the search macro scoring_index.

Operationalising behavioral anomaly detections at scale, and resolving back to the entities they relate to, has in the past been a complex task with Splunk. It required understanding and implementation of:

  • Splunk’s Search Processing Language (SPL) to define a search
  • Search scheduling to operationalise that search
  • Machine learning and ML-SPL to define and interpret anomaly criteria

The Splunk App for Behavioral Profiling comes to the rescue by orchestrating all of the above behind a simple click-through workflow, enabling you to deploy behavioral indicator searches with one line of SPL, and introducing a simple scoring mechanism to focus attention away from the false positives and towards the entities that truly matter.

App Architecture

The app uses a three layer architecture to turn your raw data sources into behavior profiled entities:

  1. Behavioral Indicator Searches are deployed to track entity behaviors and output the metrics to the indicator_index on a user-defined schedule.
  2. The defined indicator_index is then used as the feed for the Anomaly Scoring Rules, which leverage criteria ranging from simple conditional logic (i.e. indicator value > 5000) to machine learning based anomaly detection, enabling identification of the anomalously behaving entities and attribute dynamic scores in the scoring index.
  3. The defined scoring_index then populates the Entity Behavioral Scores dashboard to display a list of entities that are prioritized by aggregated behavioral score for investigation.