Which data sources do I need?
Before adding data sources to Splunk UBA, review the tables to find which data source types you may need to unlock desired use cases and detections.
- Required data sources for Splunk UBA to identify users and devices
- Data sources for Splunlk UBA to perform identity resolution
- Data source types for use cases in Splunk UBA
- Data source types for anomalies in Splunk UBA
Required data sources for Splunk UBA to identify users and devices
Human resources (HR) data and assets data are required for Splunk UBA to generate high-fidelity anomalies and threats.
Data Source | How does Splunk UBA use this data? |
---|---|
HR data from your HR system | HR data is required and must be the first data source ingested in Splunk UBA. HR data contains information about the accounts being tracked by Splunk UBA. HR data is required by Splunk UBA to identify accounts and categorize account types, then associate each account with a human user. See Why Splunk UBA requires HR data for more information. |
Assets data from your CMDB, Splunk Enterprise Security, or Active Directory | Assets data is required and must be the second data source onboarded, immediately after HR data. Assets data contains information about the devices in your environment. Assets data is required by Splunk UBA to track the behavior of assets in your system, display additional metadata for known entities, and allow blacklisting of devices that should not be associated with users. Splunk UBA requires assets data with DNS to properly perform device identify resolution. See Identify assets in your environment for more information. |
See Ingest HR data and assets data using a dedicated source type for information about how to ingest these data sources.
Data sources for Splunk UBA to perform identity resolution
Splunk UBA performs identity resolution to find the real-time associations between IP addresses, host names, and users. Splunk UBA maintains these associations over time and also allows you to prevent anomalies from being generated for specific users and devices. See Exclude identity resolution for devices or users for more information.
The most accurate identity resolution is achieved by having all of the data sources in the table, and you must have at least one. The absence of a data source, such as DNS, does not prevent Splunk UBA from performing identity resolution, but may affect whether or not entities are properly mapped or whether the mappings are maintained over time.
Splunk UBA uses the following data sources to perform identity resolution:
Data Source | How does Splunk UBA use this data? |
---|---|
Authentication | Splunk uses login events in authentication data to perform the following entity mappings:
|
DNS | Splunk UBA uses DNS query response data to map IP addresses to hostnames. |
DHCP | Splunk UBA uses log entries from new, renewed, or released leases to perform the following mappings:
|
VPN | Splunk UBA uses login and logout events in VPN data to map IP addresses to users. |
See Which connector should I use for a particular data source? for information about how to ingest each data source.
Data source types for use cases in Splunk UBA
After the required data sources are in Splunk UBA, ingest additional data sources to unlock detections for a variety of use cases in Splunk UBA. Splunk UBA provides the following use cases by default.
Splunk UBA Use Case | Description | Typical Contributing Factors and Data Sources |
---|---|---|
Account Misuse | Accidental misuse and deliberate abuse of superuser privileges yield critical compliance and privacy risks with potentially severe financial consequences and damage to your company's reputation. Splunk UBA baselines the regular behavior of each accounts and identifies abnormalities that may indicate excessive usage, rare access, potential sabotage, or covering tracks. Splunk UBA's confidence grows as a user's activity deviates from the user's peer group profile and the enterprise profile. The higher the confidence, the higher the risk. Examples of such detections include using service accounts to do VPN or interactive logins, data snooping, deleting audit logs, and accessing confidential information. | Data sources such as:
|
Compromised User Account | Splunk UBA identifies situations where user credentials have been stolen and are being used by someone other than the authorized human user or application. This use case can also detect shared account usage and generic account abuse. Splunk UBA uses behavior modeling to identify any deviation of user activity from normal thereby indicating that someone other than the legitimate owner is operating the account. Detection encompasses identifying unusual or malicious AD activity such as operations on self, terminated users, disabled accounts, and account recovery. | Data sources such as:
|
Compromised and Infected Machine | Splunk UBA can identify compromised network endpoints that are infected by malware or are otherwise behaving suspiciously. This differs from the Compromised User Account use case in that malicious activity might be detected on a host but not necessarily linked to a specific user account. For example, command and control traffic can be identified from a system where no user is currently logged in. Behavior-based modeling enables Splunk UBA to identify malware activity irrespective of the delivery mechanism of initial infection. The detection techniques include tracking changes in communication patterns of devices, the nature of communication with external domains or IPs, or characteristics of the domains. | Data sources such as:
|
Contextual Intelligence | Splunk UBA learns a lot about users and entities in the organization to identify anomalies that could be linked to threats. This information is extremely useful for analysts performing alert triage and incident investigations. For example, if an analyst suspects that an endpoint has been compromised, the analyst can use Splunk UBA to learn about that desktop's users, their regular behavior, and even the role of that endpoint in the network. For example, is the endpoint a server or a workstation, and is it used for system administration or business functions? | Identity resolution, device profiler models, and data sources such as: |
Data Exfiltration | Unauthorized or malicious data exfiltration may occur even by action of authorized users. As a result, this use case is focused on identifying this type of activity, which is necessary even when the ability to detect compromised accounts and endpoints is in place. Splunk UBA detects loss or theft of private and confidential data out of enterprise across multiple threat vectors such as network security infrastructure including firewall and proxies, online cloud storage, attached storage including USB devices, and email. | Data sources such as: |
Lateral Movement | Lateral movement involves a trusted insider scanning and expanding access across multiple resources. Detection techniques such as rare access or expanding resource usage are used to identify lateral movement. Resources here can be machines, network file shares, box folders etc. Accesses can either be network scans, brute force logins or legitimate logins. | Data sources such as:
|
Suspicious Behavior / Unknown Threats | In cases when there are not enough pre-defined signatures or correlations to cover some scenarios, Splunk UBA can effectively identify unknown scenarios by identifying anomalies based on deviations in the user or device activity in comparison with self or peer group baselines, suspicious or malicious activity, and alerts from external tools and correlating them into a threat. These suspicious account activities and unknown threats often demand further investigation and can lead to other potential threats such as malvertising, account compromise, account misuse, policy violations, or misconfiguration. The Suspicious Behavior / Unknown Threats use case is often used for content building. When an unknown scenario is detected, the scenario can be written into correlation search or threat rules for deterministic detection. | A combination of high scores or large number of anomalies associated with entities. |
Data source types for anomalies in Splunk UBA
Before adding data sources to Splunk UBA, review this table to find which types of anomalies can be generated for certain types of data. Click on the column headers to sort by anomaly type or data source type.
You want to see this anomaly | You need these data sources |
---|---|
Blacklisted Application | Firewall |
Blacklisted Domain | HTTP, DNS |
Blacklisted IP Address | Network IDS/IPS |
Brute Force Attack | AD (Windows Security Events). See Add Windows events to Splunk UBA. |
Download From Internal Server | Firewall |
Excessive Box Downloads | Cloud Data |
Excessive Data Printed | Printer |
Excessive Data Transmission | Network IDS/IPS, Firewall |
Excessive Database Administration Tasks | Database |
Excessive Database Help Actions | Database |
Excessive Database Permission Grants | Database |
Excessive Database Records Deleted | Database |
Excessive Database Records Modified | Database |
Excessive Database Records Read | Database |
Excessive Downloads via VPN | VPN |
Excessive File Size Change | Cloud Data, Network IDS/IPS, Authentication |
External Alarm | External Alarm |
External Alarm Activity | External Alarm |
External Website Attack | HTTP |
Failed Access By Disabled Badge | Badge Access |
Failed Badge Accesses on Multiple Doors | Badge Access |
Flight Risk User | Firewall, HTTP, Email |
Land Speed Violation | Authentication |
Local Account Creation | AD (Windows Security Events). See Add Windows events to Splunk UBA. |
Machine Generated Beacon (HTTP) | HTTP |
Machine Generated Beacon (IP) | Firewall |
Malicious AD Activity | AD (Windows Security Events). See Add Windows events to Splunk UBA. |
Multiple Authentication Errors | Authentication |
Multiple Authentications | Authentication |
Multiple Badge Accesses | Badge Access |
Multiple Box Login Errors | Cloud Data |
Multiple Box Logins | Cloud Data |
Multiple Box Operations | Cloud Data |
Multiple External Alarms | External Alarm |
Multiple Failed Badge Access Attempts | Badge Access |
Multiple Login Errors | Authentication |
Multiple Logins | Authentication |
Multiple Outgoing Connections | Firewall |
Multiple Sessions Denial | Firewall |
Network Protocol Violation | Firewall |
Period with Unusual Windows Security Event Sequences | AD (Windows Security Events). See Add Windows events to Splunk UBA. |
Possible Phishing Attempt | HTTP |
Potential Webshell Activity | HTTP |
Rule-based Anomaly | Multiple |
Scanning Activity | Firewall |
Suspicious Account Activity | AD (Windows Security Events). See Add Windows events to Splunk UBA. |
Suspicious Account Lockout | AD (Windows Security Events). See Add Windows events to Splunk UBA. |
Suspicious Box Usage | Cloud Data |
Suspicious Data Access | Cloud Data, Network IDS/IPS, Authentication |
Suspicious Data Movement | Firewall |
Suspicious Domain Communication | Firewall, HTTP, DNS, ExternalAlarm |
Suspicious Domain Name | HTTP, DNS |
Suspicious Email | |
Suspicious HTTP Redirects | HTTP |
Suspicious IP Address Communication | Firewall, HTTP |
Suspicious Network Connection | Firewall |
Suspicious Network Exploration | AD (Windows Security Events). See Add Windows events to Splunk UBA. |
Suspicious New Access | Cloud Data |
Suspicious Powershell Activity | AD (Windows Security Events). See Add Windows events to Splunk UBA |
Suspicious Privilege Escalation | AD (Windows Security Events). See Add Windows events to Splunk UBA. |
Unauthorized Login Attempt | AD (Windows Security Events). See Add Windows events to Splunk UBA. |
Unusual Activity | Authentication, Network IDS/IPS |
Unusual Activity Time | Authentication, Network IDS/IPS |
Unusual Application Scope | External Alarm, Firewall, Network IDS/IPS |
Unusual Badge Reader Access | Badge Access |
Unusual Box Activity | Cloud Data |
Unusual Cloud Storage Deletions | Cloud Data |
Unusual Cloud Storage Downloads | Cloud Data |
Unusual Database Activity | Database |
Unusual External Alarm | External Alarm |
Unusual File Extension | Cloud Data |
Unusual Geolocation of Communication Destination | VPN |
Unusual Machine Access | Authentication, Network IDS/IPS |
Unusual Network Activity | Firewall |
Unusual Printer Usage | Printer |
Unusual Time of Badge Access | Badge Access |
Unusual USB Activity | Endpoint, External Alarm |
Unusual USB Device Plugged In | DLP |
Unusual VPN Login Geolocation | Authentication, Network IDS/IPS |
Unusual Web Browser | HTTP |
Unusual Windows Login Events | AD (Windows Security Events). See Add Windows events to Splunk UBA. |
Unusual Windows Security Event | AD (Windows Security Events). See Add Windows events to Splunk UBA. |
Unusually Long VPN Session | VPN |
USB storage attached an unusually high number of times | DLP |
Use connectors to add data from the Splunk platform to Splunk UBA | Get data into Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1
Feedback submitted, thanks!