Splunk® Add-on for Splunk UBA

Splunk Add-on for Splunk UBA

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Add-on for Splunk UBA. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Deploy the Splunk add-on for Splunk UBA

Splunk Enterprise Security includes this add-on. You cannot download it from Splunkbase.

Compatible software versions and available functionality

When you integrate Splunk Enterprise Security and Splunk UBA, you get different types of functionality depending on the versions of the products that you integrate. Each version includes the functionality available in previous versions.

New functionality available Splunk add-on for Splunk UBA version Splunk Enterprise Security version Splunk UBA version Splunk platform version
Send threats to Enterprise Security. 1.0.0 4.0.x 2.0.x or later 6.3.x - 6.5.x
Send anomalies to Enterprise Security. 1.0.0 4.1.x 2.1.1 or later 6.3.x - 6.5.x
Send correlation search results to Splunk UBA. 1.0.0 4.5.x 3.0.x or later 6.4.4 and later
Send user and device associations to Enterprise Security. 1.1.0 4.7.x 3.2.1 or later 6.5.x and later
Send audit events to the Splunk platform. 1.2.0 4.7.2 3.3.0 or later 6.5.x and later
All of the above functionality. 1.3.0 4.7.3 and 4.7.4 3.3.0 or later 6.5.x and later

Distributed deployments

Determine where and how to install this add-on in your distributed deployment using the tables on this page. Depending on your environment, your preferences, and the requirements of the add-on, you might need to install the add-on in multiple places.

To deploy it alongside Splunk Enterprise Security, see Deploy add-ons included with Splunk Enterprise Security in the Splunk Enterprise Security Installation and Configuration Manual.

This add-on includes two indexes, ueba and ubaroute.

Where to install this add-on

Splunk instance type Supported Required Comments
Search Heads Yes Yes This add-on is installed on the search head when you install Enterprise Security.
Indexers Yes Yes This add-on includes two indexes and index-time configurations.
Heavy Forwarders Yes See comments All forwarder types are supported. Installing on a forwarder is not required.
Universal Forwarders Yes See comments All forwarder types are supported. Installing on a forwarder is not required.
Light Forwarders Yes See comments All forwarder types are supported. Installing on a forwarder is not required.

Distributed deployment feature compatibility

This table describes the compatibility of this add-on with Splunk distributed deployment features.

Distributed deployment feature Supported Details
Search Head Clusters Yes Changes made during setup must be manually deployed.
Indexer Clusters Yes This add-on contains indexes.
Deployment Server Yes Supported for deploying the configured add-on to multiple nodes.
Last modified on 29 May, 2019
PREVIOUS
Release notes for the Splunk add-on for Splunk UBA 		  NEXT
Set up the Splunk add-on for Splunk UBA

This documentation applies to the following versions of Splunk® Add-on for Splunk UBA: 1.1.0, 1.2.0, 1.3.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters