Find the Unusual with the Splunk App for Behavioral Profiling 2.0

There are times where being unusual is a good thing - unconventional thinking can lead to innovation in industry, science and culture, enabling everyone from businesses to artists to stand out from the pack. 

The Splunk App for Behavioral Profiling (SABP) helps users tackle the other kind of unusual - the bad kind. Regardless of your domain, the app provides a streamlined end-to-end workflow to build and deploy scored anomaly rules which aggregate to identify the entities, or things, displaying behaviors which require investigation.

Over the past 4 months, I’ve had the opportunity to work with customers using the SABP to identify accounts displaying potentially fraudulent behavior, employees showing signs of insider threat and platform services degrading towards downtime - and with the app all of these use cases require minimal understanding of Splunk’s SPL query language and machine learning capabilities to get up and running.

In the new 2.0 release of the SABP, we’re excited to announce a variety of capabilities providing enhancements across the application workflow in response to customer feedback. Existing users will find quality of life improvements regardless of whether they’re developing behavioral indicator searches and anomaly scoring rules, managing the lifecycle of existing content or investigating potentially anomalous entities - so let’s take a look at these in more detail:

Enhanced Workflow for Building Searches to Identify the Anomalous Entities in your World

The first thing you’ll notice when opening the SABP is an entirely new user interface, designed to improve experience through increased clarity, responsiveness and robustness of the underlying platform.

^{1.0 Create Anomaly Scoring Rule UI}

^{2.0 Create Anomaly Scoring Rule UI}

Nowhere is this more apparent than the new workflow pages for building behavioral indicator searches and anomaly scoring rules where react-based menus leveraging Splunk UI replace their SimpleXML-based predecessors. 

Whilst developing these new workflows required re-architecture of the application from the ground up, as you can see from the above comparison the latest release provides a streamlined, intuitive method of deploying searches. This will increase user efficiency and underlying platform robustness with ReactJS inputs/variables replacing temperamental Splunk SimpleXML tokens.

Extended Set of Configuration Options for Content Management

Working with customers who have deployed the SABP has been hugely insightful, not just in terms of how they’re using the app to assist with use cases across domains such as Insider Threat, Fraud, Cybersecurity and IT Operations, but also with regards to the ways in which their Splunk Environments differ. To better support this variation, the 2.0 release of SABP supports a wider set of options for content management:

^{2.0 Delete Indicator Workflow}

• One-click deletion: Developing use cases within the SABP leads to creation of a lot of backend-supporting objects and to better prevent content sprawl, we’ve developed functionality to support single-click deletion of all associated content for behavioral indicators and scoring searches.
• Your indexes, your choice: SABP 2.0 introduces search macros allowing customers to choose which indexes on their instance are used to store the output of behavioral indicator searches and anomaly scoring rules. This will increase flexibility to support naming conventions and other customer-specific constraints.
• Lookup-based baselines: In addition to the existing KV store-based workflow for historic baseline creation, SABP 2.0 alternatively supports use of lookup files for storing this information, helping customers with privilege constraints on their Splunk instances.

Enhanced Capabilities for Analysis and Documentation During Investigation

Finally, as well as smoothing the process of drilling down to raw data from identified anomalous entities, we’ve introduced a number of quality-of-life improvements for admins and analysts of all domains who are using the SABP for investigation. 

^{2.0 Reviewer User Information}

These include:

• Introduction of a “Today” timespan option on the entity behavioral scores investigative dashboard, offering more flexibility for ad-hoc analysis.
• Display of the reviewer who marked a given entity as “reviewed” on the entity behavioral scores investigative dashboard, allowing easier communication and documentation of investigations undertaken as a team.

Get Started or Upgrade Today!

The Splunk App for Behavioral Profiling 2.0 update is available today directly within both Cloud and On-Prem environments, or via Splunkbase. Hopefully I've enticed you to give it a try with this blog post, but if you’d like to know more you can check out the online documentation!

Thank you, and happy Splunking!

Special thanks to Josh Cowling, my co-developer on this app, for his vital support and to all the Splunkers and customers who’ve shaped the app’s development.