Here are some of the questions from the session:

• Q1: While there is certainly no one size fits all response, how does the resource utilization for applying ML for detection affect resource planning for ES? 
  • A: Mostly ML detections run as correlation searches and there is a deployment guide for Enterprise Security that allows customers to review load and configure deployment. As the question mentioned, resource requirement is case dependent. I would suggest 2 best practices 
    • 1) Make search head powerful as possible as you can because MLTK needs it
    • 2) Schedule MLTK correlation search apart enough so that dependent MLTK runs can have enough time to finish.

• Q2: It appears that there are two risk scores for a user.  One in UBA and one in ES.  Is there a way for these two to talk so we have just one universal score?
  • A: Integrating risk events here: https://docs.splunk.com/Documentation/ES/7.1.1/RBA/Unifiedriskanalysis 
  • More about integrating risk events into Splunk ES: https://docs.splunk.com/Documentation/ES/7.1.1/RBA/Unifiedriskanalysis  

• Q3:  What are Splunk offerings for DIY Insider threat detection powered by ML? 
  • A: Splunk offers two ML platforms to develop your own ML based detection:  MLTK - Machine Learning Toolkit, and DSDL - Data Science and Deep Learning toolkit

• Q4: What is your view on using Deep Learning vs. using other machine learning techniques for threat detection?
  • A: Deep Learning is a type of ML technique. Normally DL is well suited to tasks for which there is large amounts of data present. Simpler ML techniques such as Random Forests and SVMs may work better for smaller amounts of data. DL also works very well for language models. So, it depends upon the task at hand and the nature of data, to decide which tool is best for the job.

• Q5: What's the performance impact on Splunk when we use machine learning?
  • A: UBA/DSDL requires separate infrastructure so it doesn’t affect performance of Splunk. However with ES/MLTK based ML, it will affect infrastructure depending on the training and inference time and resources.

Questions from the Live Q&A 

Q1:  Is there a specific customer size for UBA qualification?

• A: If you mean the number of people in the organization, sometimes ML detections are much more useful if you do it over a population. So if you have only a size of five people in your organization, perhaps ML detection is not the best way to do things. But if you have 1000 or 5000 then things might be more accurate.Either way, you will 100% need a team to manage a UBA simply because if there is a detection, if there is an alert, somebody has to diagnose and understand what are the reasons and how to act.

Q2:  As SSE and ESCU are sort of 'free' detections, are there plans to continue updates to UBA Content Updates? I notice it hasn't been updated on Splunkbase since 2020.

• A: Yes, definitely expect new content coming to you. We are actively working on it, as they are both very important to us. Check out the detections we linked in question number 1 in the deck. 

Q3: Where does the UBA get events from? So do we need a seperate feed to Splunk and separate to UBA?

• A: When you are buying an app such as UBA, you would need to configure it. So there's a little work involved to get you on top of running UBA and ES as well. So you may have the same feed. But they need to be pointed to different locations, so that these 2 apps start working.

Q4: Do you personally feel it's better to align data models for the standardization factor (CIM mapping), or the raw events for the more robust dataset, to train your models for threat hunting? 

• A: In certain scenarios, standardization is desired. For example, if you want to get rid of PII you know you want data, and only in certain formats, and if you understand how the data is coming in, then you can anonymize it better. And make sure that only clean data is fed to the model. But in general, the raw data events are the best.
• I would say both of them. If you are a true data scientist and you have access to all the data, then you want to build your detection on top of raw data, because you want to capture as much information as possible or any kind of signal from broad data. When we are standardizing, we are losing some information at some level, although it makes the life easy. So it depends on your data science background, time, and how much you want to spend resources over it.