Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Use connectors to add data from the Splunk platform to Splunk UBA

You can send events from the Splunk platform (Splunk Enterprise or Splunk Cloud Platform) to Splunk UBA for analysis. Integrate Splunk UBA with the Splunk platform so that you can retrieve events and take advantage of the field extractions and data indexing that the Splunk platform performs.

Prerequisites for adding data from the Splunk platform to Splunk UBA

Before you can add data from the Splunk platform to Splunk UBA, make sure that your setup meets the minimum requirements. See Requirements for connecting to and getting data from the Splunk platform in Install and Upgrade Splunk User Behavior Analytics.

Add data from the Splunk platform using the Splunk Direct and Splunk Raw Events connectors

Splunk UBA provides two connectors for Splunk UBA to get data from the Splunk platform: Splunk Direct and Splunk Raw Events. The following table summarizes when to use which connector.

Your Data Splunk UBA Connector Type Where events are parsed Documentation
Your data is verified CIM compliant. CIM-compliant data enables Splunk UBA to find expected fields, tags, and event types and recognize the type of data that is being ingested. Using CIM-compliant data also enables Splunk UBA to integrate with other Splunk tools such as Splunk Enterprise Security (ES) and Splunk IT Service Intelligence (ITSI) that also rely on CIM-compliant data.


Map your data to the CIM using the add-on builder or manually using tags. See Map to data model in the Splunk Add-on Builder User Guide or Use the CIM to normalize data at search time in the Splunk Common Information Model Add-on Manual.

Splunk Direct The Splunk platform performs field extractions and data indexing before sending the data to Splunk UBA.
Your data is partially or non-CIM compliant, but Splunk UBA has a native parser to process the data. Splunk Raw Events Raw events are sent to Splunk UBA. The events are parsed by Splunk UBA using its native parsers.
Your data is not CIM compliant and Splunk UBA does not have a native parser to support the data format. Use this format to get data into Splunk UBA and generate custom content. See What is the custom use case framework? in the Develop Custom Content in Splunk User Behavior Analytics manual. Splunk Direct Use the Splunk platform to perform field extractions and data indexing before sending the data to Splunk UBA. See Add custom data to Splunk UBA using the generic data source.

Which connector should I use for a particular data source?

The connector you use to get data into Splunk UBA depends on the type of data.

  1. Splunk UBA requires human resources (HR) data and assets data from your Splunk platform before any other data is onboarded. Splunk UBA provides dedicated connectors for these specific data sources.
  2. After you get your HR data and assets data in to Splunk UBA, you can use the Splunk Direct and Splunk Raw Events connectors for additional data sources.

Ingest HR data and assets data using a dedicated data source type

The following data sources have a dedicated data source type in Splunk UBA used for ingesting data.

Data Source How does Splunk UBA use this data? How to Ingest
HR data from your HR system HR data is required and must be the first data source ingested in Splunk UBA. See Why Splunk UBA requires HR data for more information. Create a data source for your HR data. See Get HR data in to Splunk UBA.
Assets data from your CMDB, Enterprise Security, or Active Directory Assets data is required and must be the second data source onboarded, immediately after HR data. See Identify assets in your environment for more information. Create a data source for Splunk Assets. See Perform asset identification by using the Splunk Assets data source.

Ingest these data sources using the Splunk Direct connector

Ingest the following data source types using the Splunk Direct connector in Splunk UBA. See Add CIM-compliant data from the Splunk platform to Splunk UBA for instructions.

Data Source How does Splunk UBA use this data?
Authentication Splunk UBA uses authentication logs to unlock use cases such as Account Misuse and Compromised User Account.
Badge Access Splunk UBA uses badge access data to unlock use cases such as Account Misuse and Compromised User Account.
Cloud Data Splunk UBA uses cloud storage data to unlock use cases such as Account Misuse, Compromised User Account, or Data Exfiltration.
Database Splunk UBA uses database logs to perform database-related detections such as Excessive Database Records Deleted or Excessive Database Records Modified.
DHCP DHCP data associates IP addresses to physical MAC addresses. Splunk UBA requires this data to perform identity resolution and to unlock use cases such as Compromised or Infected Machine, Data Exfiltration, and External Attack.
DLP Splunk UBA uses data loss prevention (DLP) logs to unlock Data Exfiltration use cases.
DNS Domain naming system (DNS) data provides associations between IP addresses and device names. Splunk UBA requires this data to perform identity resolution and to unlock use cases such as Compromised or Infected Machine.
Email Splunk UBA uses this data to unlock uses cases such as Data Exfiltration, External Attack, or Account Misuse.
Endpoint Splunk UBA uses endpoint data source to unlock use cases such as Lateral Movement, Compromised User Account, or Compromised or Infected Machine.
External Alarm This category includes Splunk Enterprise Security (ES) notables, IPS/IDS, DLP, Malware, and Antivirus. Splunk UBA uses these data sources to unlock use cases such as Compromised or Infected Machine, Compromised User Account, Account Misuse, Lateral Movement and External Attack.


External alarms must be properly categorized so that they can be used by Splunk UBA. Each external alarm must belong to one of the anomaly categories listed in Filter the anomaly table by anomaly category in the Use Splunk User Behavior Analytics manual.

Firewall Splunk UBA uses firewall data to unlock use cases such as Compromised or Infected Machine and Data Exfiltration. Events from both allowed and blocked traffic are analyzed.
Host AV Splunk UBA uses host antivirus data to unlock use cases such as Compromised or Infected Machine or Compromised User Account.
Network IDS/IPS Splunk UBA uses intrusion detection and protection logs to unlock uses cases such as Compromised or Infected Machine or Compromised User Account.
Printer Splunk UBA uses printer data to unlock use cases such as Data Exfiltration.
VPN Splunk UBA requires this data to unlock use cases such as Account Misuse, Compromised User Account, or Data Exfiltration.
HTTP Splunk UBA uses proxy data to unlock use cases such as Compromised or Infected Machine and Data Exfiltration.
Windows event logs in XML format Splunk UBA requires Windows event data to unlock use cases such as Account Creation or Misuse, Compromised Machines or Accounts, and Lateral Movement. See Add Windows events to Splunk UBA.

Ingest custom data sources using the Splunk Direct connector

Use the Splunk Direct connector to onboard data that is not CIM compliant and or which Splunk UBA does not have a native parser to support the data format. Use this format to get data in to Splunk UBA for the custom use case framework.

Ingest these data sources using the Splunk Raw Events connector

Ingest the following data source types using the Splunk Raw Events connector in Splunk UBA. See Add raw events from the Splunk platform to Splunk UBA for instructions.

Data Source How does Splunk UBA use this data? Use this raw parser
Windows event logs in multiline format Splunk UBA requires Windows event data to unlock use cases such as Account Creation or Misuse, Compromised Machines or Accounts, and Lateral Movement. See Add Windows events to Splunk UBA. See Add Windows events to Splunk UBA.
Windows PowerShell logs Log PowerShell activity and analyze the commands with Splunk UBA to identify indicators of compromise corresponding to malicious activity by a user or malware. PowerShell provides access to Windows API calls that attackers can exploit to gain elevated access to the system, avoiding antivirus and other security controls in the process. PowerShell is also internally utilized by popular hacking tools. See Configure PowerShell logging to see PowerShell anomalies in Splunk UBA. See Add Windows events to Splunk UBA.
USB logs USB logs unlock use cases such as Compromised or Infected Machine and Data Exfiltration. Only USB logs from Windows platforms are supported. Symantec Endpoint Protection (SEP) AV/BEHAVIOR/RISK/SCAN/USB
Netflow logs Netflow logs provide traffic flow information, showing where network traffic is coming from and going to and providing information about the volume of traffic being generated. Splunk UBA requires this data source to unlock use cases such as Lateral Movement. NetFlow (nfdump)
Cisco logs Cisco logs such as Cisco ASA provide firewall-related data used by use cases such as Data Exfiltration, Suspicious Communications, and Network Scanning. Cisco VPN logs provide data about login attempts, failed login attempts, and identity resolution. Netflow-IPFix
Last modified on 08 October, 2021
How data gets from the Splunk platform to Splunk UBA   Which data sources do I need?

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters