Welcome to Splunk UBA 5.0.4
Splunk UBA 5.0.4 is a maintenance release. See About Splunk User Behavior Analytics and release types for more information about the different types of Splunk UBA releases.
If you are new to Splunk UBA, review all the steps in the Splunk UBA installation checklist before installing Splunk UBA.
Planning to upgrade from an earlier version?
If you plan to upgrade to this version from an earlier version of Splunk UBA, read the following documentation before you get started:
- See Upgrade Splunk UBA prerequisites for information you need to know before you upgrade.
- Splunk UBA requires incremental upgrades from earlier versions. See How to install or upgrade to this release of Splunk UBA for upgrade path information.
What's new in 5.0.4
Splunk UBA 5.0.4 introduces many new anomaly rules, anomalies, and threat detections. See Data source types for anomalies in Splunk UBA for a complete list of anomalies and related information.
After upgrading to this release of Splunk UBA, none of the existing anomalies are deleted, and the anomaly rule and model enhancements can create new anomalies that are duplicates of the existing anomalies. For example, Phishing anomalies can appear as Target Group Phishing after upgrading to Splunk UBA 5.0.4. Both the existing and new anomalies factor in to threat generation after upgrading Splunk UBA to release 5.0.4.
Existing Anomaly | New Anomaly in Splunk UBA 5.0.4 |
---|---|
Failed Access by Disabled Badge | Multiple Failed Entry Attempts |
Unusual Printer Usage | Confidential Print High Print Job Count |
Exfiltration | High DLP Matches High File Writes |
External Alarm | Host Data Deletion Host Infection |
Badge access anomalies | Failed Badge Access on Multiple Doors Multiple Failed Entry Attempts |
Flight Risk User | Email to Competitor HTTP Job Domain |
Malicious AD Activity | AD Audit Log Cleared AD Recovery Account |
Malicious domain rules | HTTP Blacklisted Domain HTTP Malware Domain |
Network connection rules | HTTP Proxy Domain |
Network Protocol Violation | AmplificationDOS |
Out of Profile AD Activity | Unusual AD Event Peer Group |
Out of Profile USB Activity | High USB Bytes High USB Denials |
Phishing | Target Group Phishing |
Suspicious Account Usage | Short Lived Account Disabled Account Activity |
Unauthorized Login Type | Unauthorized Login Time Unauthorized Login type |
Third-party software updates
This release of Splunk UBA includes the following updates to third-party software:
- Apache Spark is upgraded to version 2.3.2.
See Third-party credits in Splunk UBA for a full list of third-party credits.
Known Issues in Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4
Feedback submitted, thanks!