Welcome to Splunk UBA 5.0.0
Splunk UBA 5.0.0 is a platform release. See About Splunk User Behavior Analytics and release types for more information about the different types of Splunk UBA releases.
If you are new to Splunk UBA, review all the steps in the Splunk UBA installation checklist before installing Splunk UBA.
Planning to upgrade from an earlier version?
If you plan to upgrade to this version from an earlier version of Splunk UBA, read the following documentation before you get started:
- See Upgrade Splunk UBA prerequisites for information you need to know before you upgrade.
- Splunk UBA requires incremental upgrades from earlier versions. See How to install or upgrade to this release of Splunk UBA for upgrade path information.
What's new in 5.0.0
Splunk UBA 5.0.0 contains the following features and enhancements:
| New feature or enhancement | Description and Documentation |
|---|---|
| Custom use case framework | |
| Develop your own models in Splunk UBA to generate custom content and create your own use cases. You can clone or create new custom batch models, and also create new data cubes. | |
| A new content developer role is provided for users to develop custom content without interfering with ongoing Splunk UBA activities. | |
| High availability and disaster recovery | |
| Configure warm standby in your deployment for high availability and disaster recovery. When the active Splunk UBA deployment is not available, you can failover to a duplicate standby Splunk UBA deployment.
Warm standby is a beta feature and must be implemented with the assistance of Splunk Support. | |
| Collect periodic incremental backups that can be used for high availability as well as backup and restore use cases. Backups of Splunk UBA are collected without having to stop Splunk UBA.
Automatic incremental backup and restore is a beta feature and must be implemented with the assistance of Splunk Support. | |
| Backup and restore Splunk UBA using scripts when you need to perform Splunk UBA migrations across operating systems. Both scripts will fully stop and restart Splunk UBA.
| |
| HR data | HR data supports additional attributes by default: Employee Type, Departing User, On Performance Improvement Plan, Traveling, and High Risk User
|
| Add your own attributes to HR data that are not provided by Splunk UBA.
| |
| Device management | |
| Create IDR exclusion lists in Splunk UBA when you want to exclude users or devices from anomalies.
| |
| Support is provided for multivalue fields in assets data. | |
| Asset data is used by Splunk UBA to perform device resolution.
| |
| Mask PII for auto-processed emails | The email output connector now has an option to mask PII for auto-processed emails.
|
| Single sign-on configuration | Single sign-on configuration in Splunk UBA is simplified. Use the Splunk UBA web interface to download and upload metadata files and automatically populate the required fields to integrate Splunk UBA with your SSO provider.
|
| Splunk UBA logging | Splunk UBA logs can be sent to Splunk Enterprise using a custom index instead of _internal. Contact Splunk Support to obtain a new Splunk license so you can ingest Splunk UBA logs free of charge.
|
| IP allow lists and domain deny lists and allow lists. | The default set of denied domains, allowed domains, and allowed IP addresses included with Splunk UBA are updated.
|
| Splunk UBA Kafka Ingestion App | If you are sending events from Splunk Enterprise directly to Kafka using the Splunk UBA Kafka Ingestion app, you can upgrade to version 1.2 of the app. This version is compatible with Splunk UBA and Splunk Enterprise using Python 3.
|
| MaxMind database | The MaxMind location database is updated for accurate mapping of IP addresses to geographic locations. |
New third-party software updates
This version of Splunk UBA includes the following third-party software updates. See Third-party credits in Splunk UBA.
- OpenJDK is updated to version 1.8.0_191
- InfluxDB is updated to version 1.7.7
- Python is updated to version 3.6 and 3.7
External dependencies
A summary of external dependencies required to install Splunk UBA is included in the .tgz archive that you download for installation. View this summary by performing the following tasks:
- Download the
Splunk_UBA_<version>-Packages_RHEL_<version>.tgzfile. - Look for the
uba_rhel<version>_dependencies_rpms.txtfile in theSplunk_UBA_<version>-Packages_RHEL_<version>folder. This file contains the external dependencies.
You can also download this external dependencies file:
| Known Issues in Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0
Download manual
Feedback submitted, thanks!