Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Use allow and deny lists to generate or suppress anomalies

Add a domain or IP address to a deny list to generate anomalies whenever a user or device interacts with that domain or IP address.

  • Interaction with a denied domain generates a Blacklisted Domain anomaly.
  • Interaction with a denied IP generates a Blacklisted IP Address anomaly.

You can view the IP or domain, confidence rating, and source for a denied anomaly on the Anomaly details page.

Add a user, domain, or IP address to an allow list to prevent anomalies based on interactions with that user, domain, or IP address from being generated. Using an allow list prevents an anomaly from being created if the anomaly involves a single user. If an anomaly involves an allowed user and another user, it will still be generated. Add a user to an allow list if they are a penetration tester and you would expect anomalous or suspicious activity while they conduct their tests.

The allow list takes priority over the deny list. If a domain is on both lists, denied domain anomalies based on that domain are not generated.

What is denied or allowed in Splunk UBA?

This table shows what Splunk UBA denies and allows by default.

Deny list or allow list Description
Denied domains Splunk UBA includes a list of high-confidence entries from the Collective Intelligence Framework (CIF). New entries are periodically added to the list in new versions of Splunk UBA.
Denied IP addresses Splunk UBA does not include a default set of denied IP addresses.
Allowed domains Splunk UBA selects allowed domains from the top 250,000 global website domain names according to Alexa.
Allowed IP addresses Splunk UBA selects allowed IP addresses from the top 50,000 global website IP addresses and ranges according to Alexa.
Allowed users Splunk UBA does not include a default set of allowed users. Add HR data to Splunk UBA before uploading a list of allowed users.

How anomaly and threat models use deny lists and allow lists in Splunk UBA

This table shows the anomaly and threat models that interact with deny lists and allow lists in Splunk UBA. Any models not listed in the table do not have any interaction with deny lists or allow lists.

Click on the Model name column header to sort the table by model name, or click on the Model type column header to sort the table by model type.

Model name Model type How this model uses allow lists How this model uses deny lists
Suspicious Email Detection Model Threat model Checks if an email sender or recipient domain is on the allow list. Senders or recipient domains on the allow list are not automatically ignored and factor in to the threat's score and whether or not a threat is generated. Checks if an email sender or recipient domain is on the deny list. Senders or recipient domains on the deny list are used as factors in determining whether or not a threat is generated.
Device Anomaly Ranking Task
User Anomaly Ranking Task
Produces risk rankings for users and devices based on their anomalies. Checks if the anomaly contains entities on the allow list. Entities on the allow list can decrease an anomaly's score, or prevent an anomaly from being generated. Checks if the anomaly contains entities on the deny list. Entities on the deny list can increase an anomaly's score.
Suspicious Data Movement Threat Model Threat model Checks if the destination of outgoing traffic is on the allow list. Destinations on the allow list can decrease a threat's score, or prevent a threat from being generated. Checks if the destination of outgoing traffic is on the deny list. Destinations on the deny list can increase a threat's score.
Hypergraph-based Malware Threat Detection Model Threat model Checks if the activity involves domains on the allow list. Domains on the allow list can decrease an anomaly's score, or prevent an anomaly from being generated. Checks if the activity involves domains on the deny list. Domains on the deny list can increase an anomaly's score.
External Alarm Analysis Model Anomaly model Checks if the activity involves domains on the allow list. Domains on the allow list can decrease an anomaly's score, or prevent an anomaly from being generated. Checks if the activity involves domains on the deny list. Domains on the deny list can increase an anomaly's score.
Suspicious Data Transfer Anomaly model Not used. Compares the country in the activity to a built-in list of countries on the deny list. Blacklisted countries can increase the score of an anomaly.
IP Malware Communication Model Anomaly Model Destination IP addresses in the anomaly activity that are on the allow list are ignored. Checks if the destination IP address is on the deny list. Destination IP addresses on the deny list can increase the score of an anomaly.
Malware Communication Model Anomaly Model Destination domains in the anomaly activity that are on the allow list are ignored. Checks if the destination domain is on the deny list. Destination domains on the deny list can increase the score of an anomaly.
Browser Exploitation Model Anomaly model Destination domains in the anomaly activity that are on the allow list are ignored. Checks if the destination domain is on the deny list. Blacklisted domains on the deny list can increase the score of an anomaly.
Web Beaconing Detection Model Anomaly model Destination domains in the anomaly activity that are on the allow list are ignored.


By default, this model does not generate anomalies if all involved domains are on the allow list. If at least one involved domain is not on the allow list, an anomaly is raised.

Not used.
IP Beaconing Detection Model Anomaly model Destination IP addresses in the anomaly activity that are on the allow list are ignored. Not used.
Rare User Agent String Model Anomaly model Destination domains in the anomaly activity that are on the allow list are ignored. Not used.

View deny lists and allow lists in Splunk UBA

View and modify existing or add new filter lists by selecting Manage > Black/White Lists. Each list displays the total number of entries. Sort the list based on the domain, IP address, or username, source, confidence percentage, or the date reported. The date reported reflects the date that the entry was added to Splunk UBA.

Use the confidence percentage and the source to determine how much you can trust a list entry.

Add new entries to a deny list or allow list

You can add new entries to a list by uploading a static file. The file must be a .txt file, with each entry on its own line.

  1. In Splunk UBA, select Manage > Black/White Lists.
  2. Select the list you want to add values to.
  3. Click Upload.
  4. Choose a List File from your computer.
  5. (Optional) Enter a comment describing the file you are uploading.
  6. Click OK.

Users are added to the allow list only if their user account already exists in Splunk UBA. Add HR data to Splunk UBA first before uploading a list of allowed users.

Remove entries from a deny list or allow list

You can remove individual list entries, or delete any file-based list sources.

Remove individual list entries

Remove individual list entries if you determine they are no longer needed or relevant.

  1. In Splunk UBA, select Manage > Black/White Lists.
  2. Select the list from which you want to remove entries.
  3. Check the checkbox next to the entries you want to remove.
  4. Select Action > Delete.
  5. Click OK to confirm that you want to delete the selected entries.

Delete or disable list entries by source

Deleting or disabling a source removes all the list entries associated with a specific source.

  1. In Splunk UBA, select Manage > Black/White Lists.
  2. Select the list from which you want to remove a source.
  3. Click Source to see the list entries sorted by source.
  4. Check the checkbox next to the source you want to remove.
  5. Select Action > Delete.
  6. Click OK to confirm that you want to delete the selected source.

If you delete an individual entry from a list, then disable the list from source, then enable the list, previously-deleted individual entries return to the list.

Use anomaly action rules if anomalies for allowed entities are still being generated

In some cases, you may see an anomaly generated against an allowed entity such as an IP address. To suppress anomalies from being generated against this entity, perform the following tasks:

  1. Create a new device watchlist.
  2. Add devices to the new watchlist.
  3. Use the watchlist in an anomaly action rule.

In the following example, we will suppress anomaly generation for the IP address 10.1.1.8.

Create a new device watchlist

First, perform the following tasks to create a new device watchlist:

  1. In Splunk UBA, select Manage > Watchlists.
  2. In the list of watchlist types, select Device Watchlists.
  3. Click New Watchlist.
  4. In the New Device Watchlist window, enter the watchlist name Whitelisted Devices.
  5. Click OK.

See Investigate Splunk UBA entities using watchlists in Use Splunk User Behavior Analytics for more information about Splunk UBA watchlists.

Add devices to the new watchlist

Add the IP address 10.1.1.8 to the Whitelisted Devices watchlist:

  1. In Splunk UBA, select Explore > Devices or click Devices on the home page.
  2. Enter 10.1.1.8 in the search field to locate this device.
  3. Click on the device to access the Device Details page.
  4. In the Watchlist field, click the star icon and then select Whitelisted Devices to add this device to the selected watchlist.

Use the watchlist in an anomaly action rule

Use the watchlist in an anomaly action rule. In this example, any anomaly containing an IP address in the Whitelisted Devices watchlist is moved to the trash and not generated:

  1. In Splunk UBA, select Explore > Anomalies or click Anomalies on the home page.
  2. Click the gear icon and verify that Anomaly Action Rules is selected.
  3. Click New Anomaly Action Rule.
  4. Conflgure the rule action:
    1. Click Delete Anomalies and Move to Trash as the rule action.
    2. Click Apply to Future and Existing Anomalies as the rule scope.
    3. Click Next.
  5. Configure the anomaly filters:
    1. Select Device Watchlists from the list of filters, then select the Whitelisted Devices watchlist.
    2. Set the additional filter options to Include and Contains Any.
    3. Click Next.
  6. Enter Do not generate anomalies against whitelisted devices as the rule name.
  7. (Optional) Enter a description for this rule.
  8. Click OK.

See Take action on anomalies with anomaly action rules in Administer Splunk User Behavior Analytics for more information about anomaly action rules.

Last modified on 23 June, 2022
PREVIOUS
Exclude identity resolution for devices or users
  NEXT
Add Windows events to Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters