Requirements for using the Splunk Add-on for Splunk UBA
Before integrating Splunk User Behavior Analytics (UBA) with Splunk Enterprise or Splunk Enterprise Security (ES), meet these requirements:
- Verify that you are using compatible versions of Splunk UBA, Splunk Enterprise, and Splunk ES. See Splunk UBA product compatibility matrix in the Plan and Scale your Splunk UBA Deployment manual.
- Verify that you have properly configured Splunk UBA, Splunk Enterprise, and Splunk ES for integration. See Splunk Enterprise and Splunk ES requirements.
- Verify that you have properly configured authentication for Splunk ES users to access Splunk UBA. See Configure authentication between Splunk UBA and Splunk ES.
Splunk Cloud Platform customers must contact Splunk Support to fully integrate with Splunk UBA. The Splunk Cloud Platform sc_admin role cannot perform Splunk UBA setup.
Splunk Enterprise and Splunk ES requirements
Meet the following requirements to integrate Splunk UBA with Splunk Enterprise and Splunk ES.
- Verify that you have a Splunk Enterprise user account that meets all the requirements listed in Requirements for the Splunk Enterprise user account in the Install and Upgrade Splunk User Behavior Analytics manual.
- Verify that the Splunk Add-on for Splunk UBA is installed and enabled on your search head with the
ueba
index deployed to your indexers. See Deploy the Splunk Add-on for Splunk UBA. - Verify that the name of the Splunk UBA server is specified correctly in Splunk ES. The name of the Splunk UBA server that you specified when running the
/opt/caspida/bin/Caspida setup
command during Splunk UBA installation must match the value stored in theuiServer.host
property in the/etc/caspida/local/conf/uba-site.properties
file in Splunk UBA. The name of the Splunk UBA server that was specified during setup is stored in the/opt/caspida/conf/deployment/caspida-deployment.conf
file.- If you specified a Splunk UBA host name such as
ubahost1
during setup, make sure thatuiServer.host
is set to the same host name. - If you specified an IP address such as
10.11.12.1
during setup, make sure thatuiServer.host
is set to the same IP address.
- If you specified a Splunk UBA host name such as
- Configure an output connector on Splunk UBA to send anomalies and threats from Splunk UBA to Splunk ES. During this configuration, you must provide a username and password for a Splunk ES account with at least the permissions granted by the
ess_analyst
role withedit_reviewstatuses
capability so that Splunk UBA is fully authorized for this integration. This privilege level is required so that Splunk UBA can access the Splunk ES APIs and make changes to the status of notable events. See Add an output connector in Splunk UBA.
Configure authentication between Splunk UBA and Splunk ES
Starting with release 6.1.0, Splunk ES can use a local user account to integrate with Splunk UBA. To perform the integration, meet the following requirements:
- In Splunk UBA, configure an account with the username of "ubaesuser" (for UBA ES User) and the account role of User (uba_user). See Add a local user account in the Administer Splunk User Behavior Analytics manual.
- In Splunk ES, create the matching credentials. See Add a new credential for UBA input in the Splunk Enterprise Security Administer Splunk Enterprise Security manual.
If you are using a version of Splunk ES lower than 6.1.0, configure Splunk authentication in Splunk UBA to integrate Splunk UBA and Splunk ES. See Configure Splunk authentication using Splunk UBA in the Administer Splunk User Behavior Analytics manual.
About the Splunk Add-on for Splunk UBA | Deploy the Splunk Add-on for Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0
Feedback submitted, thanks!