Delete anomalies in Splunk UBA

Anomalies may be generated but upon investigation be deemed to have low value. The following examples represent situations where anomalies are expected and have less value than cases where anomalies are not expected:

• If you have a penetration tester on your network, the tester's behavior can create anomalies that do not indicate a real threat to your environment.
• If one employee takes on additional job roles to cover another employee's vacation or leave, the employee's out-of-the-ordinary behaviors can generate anomalies.
• An employee works remotely temporarily from an area where your company has no offices.

You can delete these anomalies to prevent them from generating threats, and also to affect a desired change in user risk scores. Only users with admin privileges can delete anomalies in Splunk UBA.

You can also delete anomalies because there are limits to the to the total number of threats and anomalies that Splunk UBA can process. It is important to perform regular maintenance of your Splunk UBA deployment by managing the number of threats and anomalies in your system. See Manage the number of threats and anomalies in your environment in Administer Splunk User Behavior Analytics.

How does deleting anomalies affect other Splunk UBA components?

Deleting anomalies in Splunk UBA affects other Splunk UBA components in the following ways:

• User risk scores are generated based on the anomalies and threats linked to the user. If you choose to delete anomalies, you may affect the threats that are generated and also the user risk scores.
• Device risk scores are generated based on the anomalies and threats linked to the device. If you choose to delete anomalies, you may affect the threats that are generated and also the device risk scores.
• Deleting anomalies as false positives does not affect Splunk UBA models. The models will continue to raise similar anomalies based on similar criteria.
• Deleting anomalies does not trigger threat revalidation for threat models.
• Deleting anomalies does trigger immediate threat revalidation for threat rules.

How to delete anomalies in Splunk UBA

There are two ways to delete anomalies in Splunk UBA:

• Move anomalies to the trash and potentially restore them at a later date.
• Permanently delete anomalies.

Anomalies moved to the trash do not get raised again, as they are still stored in the Splunk UBA database. Permanently deleted anomalies can be raised again because Splunk UBA models analyze the last 30 days worth of data. If the data warrants that an anomaly should be raised, Splunk UBA will create a new anomaly if the anomaly does not already exist in Splunk UBA, including in the trash.

Move anomalies to the trash

To move a single anomaly to the trash, perform the following tasks:

1. Open the Anomaly Details for the anomaly that you would like to delete.
2. Click Delete.
3. Select Move to Trash.
4. Click OK to confirm that you want to send the anomaly to the trash.

Move multiple anomalies from the anomalies table to the anomalies trash.

1. Select Explore > Anomalies to open the Anomalies Table.
2. Filter the anomalies to show only those you want to delete. For example, change the time selection and add a User Types filter of Accounts to show only account-based anomalies created more than 30 days ago.
3. Click Actions > Delete Selected to delete all the anomalies shown.
4. The number of anomalies being moved to the trash appears in parentheses. Verify that this number does not exceed the Limits for anomaly actions in Splunk UBA.
5. Select Move to Trash.
6. Click OK to confirm that you want to delete the anomalies.

Permanently delete anomalies

To permanently delete a single anomaly, perform the following tasks:

1. Open the Anomaly Details for the anomaly that you would like to delete.
2. Click Delete.
3. Select Delete Permanently.
4. Click OK to confirm that you want to delete the anomaly permanently.

Permanently delete multiple anomalies from the anomalies table. After you delete an anomaly in this way, you cannot restore it.

1. Select Explore > Anomalies to open the Anomalies Table.
2. Filter the anomalies to show only those you want to delete. For example, change the time selection and add a User Types filter of Accounts to show only account-based anomalies created more than 30 days ago.
3. Click Actions > Delete Selected to delete all the anomalies shown.
4. The number of anomalies being deleted appears in parentheses. Verify that this number does not exceed the Limits for anomaly actions in Splunk UBA.
5. Select Delete Permanently.
6. Click OK to confirm that you want to delete the anomalies.

View and restore anomalies in the trash

You can restore and view deleted anomalies in the trash, if they were deleted by accident or based on investigation details that are no longer accurate. After you delete anomalies, threats created by those anomalies can change or disappear. Similarly, after restoring deleted anomalies, new threats can be created or existing threats can change. User risk scores are also directly affected by deleting or restoring anomalies. See Splunk UBA adjusts threats after you take action on anomalies.

Perform the following tasks to review anomalies sent to the trash and restore anomalies sent to the trash in error from the Anomalies Trash view of the anomalies table:

1. Select Explore > Anomalies.
2. Select Actions > View Anomalies Trash.
   • To restore all anomalies previously sent to the trash, click Actions > Restore Anomalies.
   • To restore a selection of the anomalies previously sent to the trash, apply additional filters then click Actions > Restore Anomalies.
   • To restore a single anomaly sent to the trash, click the name to open the Anomaly Details view and click Restore from that view.

If necessary, you can review the IDs of permanently deleted anomalies in the /var/log/caspida/ruleengine/realtimeruleexecutor.log log file.

If you export anomalies to another system, such as Splunk Enterprise Security, an analyst can open a link to a deleted anomaly or an anomaly in the trash. You can still view and restore anomalies that have been sent to the trash, but you cannot review anomalies that have been permanently deleted. Following a link to a permanently deleted anomaly displays an error of The requested anomaly could not be found.

Splunk UBA cleans up old anomalies in the trash

The AnomalyPurger process runs daily after Midnight and removes all anomalies that are last updated more than 90 days ago. For example, if you move an anomaly to the trash that has not been updated for 100 days, that anomaly is removed from Splunk UBA at Midnight the same day.

Perform the following tasks to modify this configuration as needed:

1. Log in to The Splunk UBA management node as the caspida user.
2. Edit the /etc/caspida/local/conf/uba-site.properties file.
3. Configure the persistence.anomalies.trashed.maintain.days to set the number of days that inactive anomalies should remain in the system. The default is 90 days.
4. When the AnomalyPurger process runs, batches of 300K anomalies are removed from the trash until until all anomalies in the trash are removed. Configure the persistence.anomalies.trashed.del.limit property to change the batch size as desired.
5. Save and exit the /etc/caspida/local/conf/uba-site.properties file.
6. In distributed deployments, synchronize the cluster.

   /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf