Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Which data sources do I need?

Before adding data sources to Splunk UBA, review the tables to find which data source types you may need to unlock desired use cases and detections.

Required data sources for Splunk UBA to identify users and devices

Human resources (HR) data and assets data are required for Splunk UBA to generate high-fidelity anomalies and threats.

Data Source How does Splunk UBA use this data?
HR data from your HR system HR data is required and must be the first data source ingested in Splunk UBA. HR data contains information about the accounts being tracked by Splunk UBA. HR data is required by Splunk UBA to identify accounts and categorize account types, then associate each account with a human user. See Why Splunk UBA requires HR data for more information.
Assets data from your CMDB, Splunk Enterprise Security, or Active Directory Assets data is required and must be the second data source onboarded, immediately after HR data. Assets data contains information about the devices in your environment. Assets data is required by Splunk UBA to track the behavior of assets in your system, display additional metadata for known entities, and allow filtering of devices that should not be associated with users. Splunk UBA requires assets data with DNS to properly perform device identify resolution. See Identify assets in your environment for more information.

See Ingest HR data and assets data using a dedicated source type for information about how to ingest these data sources.

Data sources for Splunk UBA to perform identity resolution

Splunk UBA performs identity resolution to find the real-time associations between IP addresses, host names, and users. Splunk UBA maintains these associations over time and also allows you to prevent anomalies from being generated for specific users and devices. See Exclude identity resolution for devices or users for more information.

The most accurate identity resolution is achieved by having all of the data sources in the table, and you must have at least one. The absence of a data source, such as DNS, does not prevent Splunk UBA from performing identity resolution, but may affect whether or not entities are properly mapped or whether the mappings are maintained over time.

Splunk UBA uses the following data sources to perform identity resolution:

Data Source How does Splunk UBA use this data?
Authentication Splunk uses login events in authentication data to perform the following entity mappings:
  • IP addresses to hostnames
  • IP addresses to user accounts
  • Hostnames to user accounts
DNS Splunk UBA uses DNS query response data to map IP addresses to hostnames.
DHCP Splunk UBA uses log entries from new, renewed, or released leases to perform the following mappings:
  • IP address to MAC address
  • IP address to hostname
VPN Splunk UBA uses login and logout events in VPN data to map IP addresses to users.

See Which connector should I use for a particular data source? for information about how to ingest each data source.

Data source types for use cases in Splunk UBA

After the required data sources are in Splunk UBA, ingest additional data sources to unlock detections for a variety of use cases in Splunk UBA. Splunk UBA provides the following use cases by default.

Splunk UBA Use Case Description Typical Contributing Factors and Data Sources
Account Misuse Accidental misuse and deliberate abuse of superuser privileges yield critical compliance and privacy risks with potentially severe financial consequences and damage to your company's reputation. Splunk UBA baselines the regular behavior of each accounts and identifies abnormalities that may indicate excessive usage, rare access, potential sabotage, or covering tracks. Splunk UBA's confidence grows as a user's activity deviates from the user's peer group profile and the enterprise profile. The higher the confidence, the higher the risk. Examples of such detections include using service accounts to do VPN or interactive logins, data snooping, deleting audit logs, and accessing confidential information. Data sources such as:
Compromised User Account Splunk UBA identifies situations where user credentials have been stolen and are being used by someone other than the authorized human user or application. This use case can also detect shared account usage and generic account abuse. Splunk UBA uses behavior modeling to identify any deviation of user activity from normal thereby indicating that someone other than the legitimate owner is operating the account. Detection encompasses identifying unusual or malicious AD activity such as operations on self, terminated users, disabled accounts, and account recovery. Data sources such as:
Compromised and Infected Machine Splunk UBA can identify compromised network endpoints that are infected by malware or are otherwise behaving suspiciously. This differs from the Compromised User Account use case in that malicious activity might be detected on a host but not necessarily linked to a specific user account. For example, command and control traffic can be identified from a system where no user is currently logged in. Behavior-based modeling enables Splunk UBA to identify malware activity irrespective of the delivery mechanism of initial infection. The detection techniques include tracking changes in communication patterns of devices, the nature of communication with external domains or IPs, or characteristics of the domains. Data sources such as:
Contextual Intelligence Splunk UBA learns a lot about users and entities in the organization to identify anomalies that could be linked to threats. This information is extremely useful for analysts performing alert triage and incident investigations. For example, if an analyst suspects that an endpoint has been compromised, the analyst can use Splunk UBA to learn about that desktop's users, their regular behavior, and even the role of that endpoint in the network. For example, is the endpoint a server or a workstation, and is it used for system administration or business functions? Identity resolution, device profiler models, and data sources such as:
Data Exfiltration Unauthorized or malicious data exfiltration may occur even by action of authorized users. As a result, this use case is focused on identifying this type of activity, which is necessary even when the ability to detect compromised accounts and endpoints is in place. Splunk UBA detects loss or theft of private and confidential data out of enterprise across multiple threat vectors such as network security infrastructure including firewall and proxies, online cloud storage, attached storage including USB devices, and email. Data sources such as:
Lateral Movement Lateral movement involves a trusted insider scanning and expanding access across multiple resources. Detection techniques such as rare access or expanding resource usage are used to identify lateral movement. Resources here can be machines, network file shares, box folders etc. Accesses can either be network scans, brute force logins or legitimate logins. Data sources such as:
Suspicious Behavior / Unknown Threats In cases when there are not enough pre-defined signatures or correlations to cover some scenarios, Splunk UBA can effectively identify unknown scenarios by identifying anomalies based on deviations in the user or device activity in comparison with self or peer group baselines, suspicious or malicious activity, and alerts from external tools and correlating them into a threat. These suspicious account activities and unknown threats often demand further investigation and can lead to other potential threats such as malvertising, account compromise, account misuse, policy violations, or misconfiguration. The Suspicious Behavior / Unknown Threats use case is often used for content building. When an unknown scenario is detected, the scenario can be written into correlation search or threat rules for deterministic detection. A combination of high scores or large number of anomalies associated with entities.

Data source types for anomalies in Splunk UBA

Before adding data sources to Splunk UBA, review this table to find which types of anomalies can be generated for certain types of data. Click on the column headers to sort by anomaly type or by data source type.

You want to see this anomaly You need these data sources
Anomalous USB Activity

DLP, Endpoint, External Alarm

Excluded Application

Firewall

Excluded Domain

HTTP, DNS

Excluded IP Address Network IDS/IPS
Brute Force Attack AD (Windows Security Events). See Add Windows events to Splunk UBA.
Download From Internal Server Firewall
Excessive Box Downloads Cloud Data
Excessive Data Printed Printer
Excessive Data Transmission Network IDS/IPS, Firewall
Excessive Database Administration Tasks Database
Excessive Database Help Actions Database
Excessive Database Permission Grants Database
Excessive Database Records Deleted Database
Excessive Database Records Modified Database
Excessive Database Records Read Database
Excessive Downloads via VPN VPN
Excessive File Size Change Cloud Data, Network IDS/IPS, Authentication
External Alarm External Alarm
External Alarm Activity External Alarm
External Website Attack HTTP
Failed Access By Disabled Badge Badge Access
Failed Badge Accesses on Multiple Doors Badge Access
Flight Risk User Firewall , HTTP, Email
Land Speed Violation Authentication
Local Account Creation Windows Security Events (AD), Windows Security Events (Workstation)
Machine Generated Beacon (HTTP) HTTP
Machine Generated Beacon (IP) Firewall
Malicious AD Activity AD (Windows Security Events). See Add Windows events to Splunk UBA.
Multiple Authentication Errors Authentication
Multiple Authentications Authentication
Multiple Badge Accesses Badge Access
Multiple Box Login Errors Cloud Data
Multiple Box Logins Cloud Data
Multiple Box Operations Cloud Data
Multiple External Alarms External Alarm
Multiple Failed Badge Access Attempts Badge Access
Multiple Login Errors Authentication
Multiple Logins Authentication
Multiple Outgoing Connections Firewall
Multiple Sessions Denial Firewall
Network Protocol Violation Firewall
Period with Unusual Windows Security Event Sequences AD (Windows Security Events). See Add Windows events to Splunk UBA.
Possible Phishing Attempt HTTP
Potential Data Staging External Alarm, Network IDS/IPS, Firewall
Potential Webshell Activity HTTP
Rule-based Anomaly Multiple
Scanning Activity Firewall
Suspicious Account Activity AD (Windows Security Events). See Add Windows events to Splunk UBA.
Suspicious Account Lockout AD (Windows Security Events). See Add Windows events to Splunk UBA.
Suspicious Box Usage Cloud Data
Suspicious Data Access Cloud Data, Network IDS/IPS, Authentication
Suspicious Data Movement Firewall
Suspicious Domain Communication Firewall, HTTP, DNS, External Alarm
Suspicious Domain Name HTTP, DNS
Suspicious Email Email
Suspicious HTTP Redirects HTTP
Suspicious IP Address Communication Firewall, HTTP
Suspicious Network Connection Firewall
Suspicious Network Exploration AD (Windows Security Events). See Add Windows events to Splunk UBA.
Suspicious New Access Cloud Data
Suspicious Powershell Activity AD (Windows Security Events). See Add Windows events to Splunk UBA.
Suspicious Privilege Escalation AD (Windows Security Events). See Add Windows events to Splunk UBA.
Unauthorized Login Attempt AD (Windows Security Events). See Add Windows events to Splunk UBA.
Unusual Activity Authentication, Network IDS/IPS
Unusual Activity Time Authentication, Network IDS/IPS
Unusual Application Scope External Alarm, Firewall, Network IDS/IPS
Unusual Badge Reader Access Badge Access
Unusual Box Activity Cloud Data
Unusual Cloud Storage Deletions Cloud Data
Unusual Cloud Storage Downloads Cloud Data
Unusual Database Activity Database
Unusual External Alarm External Alarm
Unusual File Access Cloud Data, Network IDS/IPS, Authentication
Unusual File Extension Cloud Data
Unusual Firewall Alarm Firewall
Unusual Geolocation of Communication Destination VPN
Unusual Machine Access Authentication, Network IDS/IPS
Unusual Network Activity Firewall
Unusual Printer Usage Printer
Unusual Time of Badge Access Badge Access
Unusual USB Activity Endpoint, External Alarm
Unusual USB Device Plugged In DLP
Unusual VPN Connection Sources Authentication, Cloud Data, Endpoint, External Alarm, Firewall, HTTP, Network IDS/IPS,

AD (Windows Security Events). See Add Windows events to Splunk UBA.

Unusual VPN Login Geolocation Authentication, Network IDS/IPS
Unusual Web Browser HTTP
Unusual Windows Login Events AD (Windows Security Events). See Add Windows events to Splunk UBA.
Unusual Windows Security Event AD (Windows Security Events). See Add Windows events to Splunk UBA.
Unusually Long VPN Session VPN
USB storage attached an unusually high number of times DLP
Last modified on 30 May, 2022
Use connectors to add data from the Splunk platform to Splunk UBA   Get data into Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.2, 5.0.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters