Register here and ask questions below this thread for the Office Hours session on ML in Security: Insider Threat Detection on Wed, May 24, 2023 at 1pm PT / 4pm ET.
Join our bi-weekly Office Hour series where technical Splunk experts answer questions and provide how-to guidance on a different topic every month! This Office Hours session will cover anything related to how to deploy and use machine learning for insider threat detection. The panel will consist of expert Splunk ML and Threat Researchers. Come with any questions around leveraging the Machine Learning Toolkit app (MLTK), the Data Science and Deep Learning app (DSDL), Enterprise Security, or User Behavior Analytics (UBA) to detect insider threats and accelerate threat hunting with Splunk.
Please submit your questions below as comments in advance. You can also head to the #office-hours user Slack channel to ask questions (request access here). Prefer to submit anonymously? Fill out this form.
Pre-submitted questions will be prioritized. After that, we will go in order of the questions posted below, then will open the floor up to live Q&A with meeting participants. If there’s a quick answer available, we’ll post as a direct reply.
Look forward to connecting!
Hey Everyone!
Drop your questions/comments here for any topics you'd like to see discussed in the Community Office Hours session (you can also head to the #office-hours user Slack channel to ask questions and join the discussion - request access here).
Your questions can include anything around leveraging the MLTK app , the DSDL app, Enterprise Security, or User Behavior Analytics (UBA) to accelerate threat hunting with Splunk, or anything else you'd like to learn about implementing ML with Splunk.
Here are some of the questions from the session:
Questions from the Live Q&A
Q1: Is there a specific customer size for UBA qualification?
Q2: As SSE and ESCU are sort of 'free' detections, are there plans to continue updates to UBA Content Updates? I notice it hasn't been updated on Splunkbase since 2020.
Q3: Where does the UBA get events from? So do we need a seperate feed to Splunk and separate to UBA?
Q4: Do you personally feel it's better to align data models for the standardization factor (CIM mapping), or the raw events for the more robust dataset, to train your models for threat hunting?