ACTIONABLE ALERTS – Detect Abnormal Data Transfer using ML

Detecting Abnormal or suspicious upload (or) download activity by a user using a Machine learning model.
A leading power distribution organization wants to monitor its insider threat using the abnormal or suspicious upload (or) download activity by the user.


  • Security threat: Identify malicious insiders who might leak sensitive data from the power utility.
  • False positive reduction: Using traditional SIEM rules generates many false positive alerts, and so focus is to leverage ML capabilities for anomaly detection.


  • Leveraged Splunk Enterprise for integration, aggregation and cleaning / transformation of data.
  • Utilized Splunk MLTK app to visualize data, model the data and evaluate the model performance.
  • Multiple ML models were evaluated for detecting suspicious uploads (or) downloads activity.
  • Selected model was packaged and deployed in production environment successfully.


  • Visibility into insider threats.
  • Reduced false positive alerts.
  • Reduced manual effort around log and alert review.

Monitored Systems/Data Sources: Squid proxy logs.

Users: Security Operation Center Team

Product: Splunk Enterprise

Splunk App:  Machine Learning Tool Kit