Splunk® User Behavior Analytics

Release Notes

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Welcome to Splunk UBA 5.0.4

Splunk UBA 5.0.4 is a maintenance release. See About Splunk User Behavior Analytics and release types for more information about the different types of Splunk UBA releases.

If you are new to Splunk UBA, review all the steps in the Splunk UBA installation checklist before installing Splunk UBA.

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk UBA, read the following documentation before you get started:

What's new in 5.0.4

Splunk UBA 5.0.4 introduces many new anomaly rules, anomalies, and threat detections. See Data source types for anomalies in Splunk UBA for a complete list of anomalies and related information.

After upgrading to this release of Splunk UBA, none of the existing anomalies are deleted, and the anomaly rule and model enhancements can create new anomalies that are duplicates of the existing anomalies. For example, Phishing anomalies can appear as Target Group Phishing after upgrading to Splunk UBA 5.0.4. Both the existing and new anomalies factor in to threat generation after upgrading Splunk UBA to release 5.0.4.

Existing Anomaly New Anomaly in Splunk UBA 5.0.4
Failed Access by Disabled Badge Multiple Failed Entry Attempts
Unusual Printer Usage Confidential Print

High Print Job Count
High Print Jobs Peer
High Printer Usage Peer

Exfiltration High DLP Matches

High File Writes
High Print Job Count
DLP Changed Name
DLP File Access Peer
DLP FIle Multiple Vectors
DLP Multiple Files
DLP Multiple Vectors
DLP Print Violations
DLP Social and Credit
DLP Unusual Vector Peer
DLP Web Personal
Email Attachment Size
HTTP Exfiltration Domain

External Alarm Host Data Deletion

Host Infection
Host Lateral Movement

Badge access anomalies Failed Badge Access on Multiple Doors

Multiple Failed Entry Attempts
Unusual Entry Type Badge Reader Access

Flight Risk User Email to Competitor

HTTP Job Domain
PAN Job Search
Resume Sent

Malicious AD Activity AD Audit Log Cleared

AD Recovery Account
Admin Change to Self

Malicious domain rules HTTP Blacklisted Domain

HTTP Malware Domain
HTTP Phishing Domain
HTTP Policy Domain
PAN Evasion Domain
PAN High Risk Domain
PAN Malware Domain
PAN Phishing Domain
PAN Unwanted Domain

Network connection rules HTTP Proxy Domain
Network Protocol Violation AmplificationDOS
Out of Profile AD Activity Unusual AD Event Peer Group
Out of Profile USB Activity High USB Bytes

High USB Denials
High USB Writes

Phishing Target Group Phishing
Suspicious Account Usage Short Lived Account

Disabled Account Activity
Short Lived Security Membership
New AD Account
Multiple Password Resets
Service Account AD
Service Account VPN
Email To Self
Terminated Account Usage

Unauthorized Login Type Unauthorized Login Time

Unauthorized Login type
Unauthorized Login Device

Third-party software updates

This release of Splunk UBA includes the following updates to third-party software:

  • Apache Spark is upgraded to version 2.3.2.

See Third-party credits in Splunk UBA for a full list of third-party credits.

Last modified on 22 October, 2020
  Known Issues in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters