ETEVERS

Yong Park, General Manager

Splunk SIEM (Enterprise Security) integrates machine learning (ML) for anomaly detection, risk-based alerting, and predictive analytics, overcoming the limitations of traditional rule-based detection
1. Building Custom Models with MLTK (Machine Learning Toolkit)
? Use the Density Function algorithm to establish baseline patterns of normal user access, enabling automatic detection of abnormal logins (e.g., Israel Ministry of Energy case)
? Apply TF-IDF and logistic regression to identify malicious web shell command sequences (e.g., Siemens case)
? Real-time data collection → iterative model training → automated alert configuration
2. Risk-Based Alerting (RBA)
? Assign risk scores to users/systems, automating alert prioritization
? Risk scoring can reduce mean time to respond (MTTR) by 30%
? Improves accuracy in detecting insider threats (e.g., data exfiltration attempts)
3. Enhanced Behavioral Analytics
? Integrate with UBA (User Behavior Analytics) to classify over 65+ anomaly types:
? Abnormal data movement, privilege escalation attempts, compromised account detection
? Use graph analysis to identify lateral movement patterns within networks.
4. Proactive Threat Response
? Streaming models enable real-time threat prediction (e.g., detecting attacks 15 minutes in advance)
? Integration with the MITRE ATT&CK framework for attacker profiling
5. Operational Efficiency
? ML-based correlation analysis reduces false positives, cutting SOC workload by 40%
? Build automated investigation workflows (Investigation Workbench)