Skip to main content
Splunk Lantern

Detecting insider threats


​As an analyst, you are concerned with detecting threats from insiders who use authorized access to systems or their understanding of your organization to cause harm. You want to use Splunk software to better detect these types of threats.

How to use Splunk software for this use case

Splunk User Behavior Analytics uses machine learning and your existing data in a Splunk deployment to find anomalies that may indicate malicious behavior, such as insider threat. It includes a variety of indicators for suspicious or unusual user behavior that can alert your security team to investigate further. You do not have to comb through mountains of data to find out what a particular user has been up to on the corporate network. Instead, you can go to your Splunk User Behavior Analytics dashboard and look up any user to see their behavior patterns across all systems and machines on the network.

Baseline behavioral patterns

Splunk User Behavior Analytics focuses on two main use cases: detecting malicious insiders and identifying advanced cyber attacks happening inside the environment. Security analyst teams can be quickly overwhelmed by the number of alerts and incidents being generated in the environment. Splunk User Behavior Analytics helps to solve this issue by using machine learning to discover threats and patterns that indicate a problem. It does this by watching the behavior of users and entities in your environment and establishing a baseline of typical known behavior for each. It then compares new behavior patterns to the typical behavior baseline in order to find anomalies in those patterns. 

As security events flow into Splunk User Behavior Analytics, it analyzes events and builds behavior profiles for users, hosts, and applications. When an event deviates from the behavior profile in a statistically significant way, an anomaly is generated. An anomaly by itself is not always an indicator of malicious behavior. Splunk User Behavior Analytics uses algorithms to stitch related anomalies together to form a story of behavior and reveal potential threats, allowing it to discover abnormal behaviors that are not caught by most security software.

Not all abnormal behavior is bad behavior. Because of this, it is normal for you to find a number of false-positive threats in Splunk User Behavior Analytics. As you discover false-positives, you can suppress or remove these from the system. Splunk User Behavior Analytics will then automatically readjust behavior profiles.

Data considerations

There are only a small number of data source categories that are needed for Splunk User Behavior Analytics to function properly. However, providing additional data improves its functionality and the fidelity of the threats it produces for you. For more information on the required data sources, see Which data sources do I need? in Splunk Docs. 

The most essential data source required for proper functioning of Splunk User Behavior Analytics is your organization’s HR data. This data contains all of the information on each employee, their location, business title, and organizational structure. Additionally, asset data on the IT systems from the organization can be tied together with the HR data to provide the most relevant information. For instance, asset data often contains ownership information that lists to which laptop an employee is assigned. Another example would be if an employee’s credentials are used to access a system to which they would not typically need access for their job function. These are just a few examples, but you can begin to see how critical this information is to building anomalies for user behavior and detecting potential threats.

If you’re going to use Splunk User Behavior Analytics for insider threat detection, you can use the Data Availability page in Splunk User Behavior Analytics to review the data sources needed for the specific detections you may want. Here you can validate or troubleshoot your data ingestion, as well as identify missing data sources that will enable other use cases. 

Threat detection

When you get started in Splunk User Behavior Analytics it is a good practice to browse through the Anomalies and Threats pages to see the current events and types of behavior it has detected so far. This will help you get familiar with the interface, as well as the content and detections. You can also review the anomalies in the anomalies table. This view will allow you to filter by specific anomalies and view the events related to it. 


After you have familiarized yourself with the user interface and some of the anomaly types that are showing up in your environment, it’s time to focus on some threats.

You can follow the example shown on Splunk Docs on how to review a Data exfiltration by suspicious user or device threat. In this article, the section "Review current threats in your environment" shows how UBA uses multiple data sources to piece together a potential threat, providing insight for an analyst to review.

Next steps

These resources might help you understand and implement this guidance:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at if you require assistance.