Delete anomalies in Splunk UBA
Splunk UBA might generate anomalies that upon further investigation are determined to be of low value. The following are examples of where anomalies are expected and have less value, than cases where anomalies are not expected:
- If you have a penetration tester on your network, the tester's behavior can create anomalies that do not indicate a real threat to your environment.
- If one employee takes on additional job roles to cover another employee's vacation or leave, the employee's out-of-the-ordinary behaviors can generate anomalies.
- An employee works remotely temporarily from an area where your company has no offices.
You can delete these anomalies to prevent them from generating threats, and also to prevent a change in user risk scores.
Only users with admin privileges can delete anomalies in Splunk UBA.
Another reason to delete anomalies is because there are limits to the to the total number of threats and anomalies that Splunk UBA can process. It is important to perform regular maintenance of your Splunk UBA deployment by managing the number of threats and anomalies in your system. See Manage the number of threats and anomalies in your environment in Administer Splunk User Behavior Analytics.
How deleting anomalies affects other Splunk UBA components
Deleting anomalies in Splunk UBA affects other Splunk UBA components in the following ways:
- User risk scores are generated based on the anomalies and threats linked to the user. If you choose to delete anomalies, you might affect the threats that are generated as well as the user risk scores.
- Device risk scores are generated based on the anomalies and threats linked to the device. If you choose to delete anomalies, you might affect the threats that are generated as well as the device risk scores.
- Deleting anomalies as false positives does not affect Splunk UBA models. The models continue to raise similar anomalies based on similar criteria.
- Deleting anomalies does not trigger threat revalidation for threat models.
- Deleting anomalies does trigger immediate threat revalidation for threat rules.
How to delete anomalies in Splunk UBA
There are two ways to delete anomalies in Splunk UBA:
Anomaly deletion option | Further details |
---|---|
Move anomalies to the trash | Anomalies moved to the trash can be restored as needed. Anomalies moved to the trash do not get raised again, but they remain stored in the Splunk UBA database. |
Permanently delete anomalies | Permanently deleted anomalies can be raised again because Splunk UBA models analyze the last 30 days worth of data. If the data warrants that an anomaly be raised, Splunk UBA creates a new anomaly if the anomaly does not already exist in Splunk UBA, including in the trash. |
Move anomalies to the trash
To move a single anomaly to the trash, perform the following tasks:
- Open the Anomaly Details for the anomaly that you want to delete.
- Click Delete.
- Select Move to Trash.
- Click OK to confirm that you want to send the anomaly to the trash.
Move multiple anomalies from the Anomalies Table to the anomalies trash.
- Select Explore > Anomalies to open the Anomalies Table.
- Filter the anomalies to show only those you want to delete. For example, change the time selection and add a User Types filter of Accounts to show only account-based anomalies created more than 30 days ago.
- Click Actions > Delete Selected to delete all the anomalies shown.
- The number of anomalies being moved to the trash appears in parentheses. Verify that this number does not exceed the anomaly action limits. See, Limits for anomaly actions in Splunk UBA.
- Select Move to Trash.
- Click OK to confirm that you want to delete the anomalies.
Permanently delete anomalies
To permanently delete a single anomaly, perform the following tasks:
- Open the Anomaly Details for the anomaly that you want to delete.
- Click Delete.
- Select Delete Permanently.
- Click OK to confirm that you want to delete the anomaly permanently.
Permanently delete multiple anomalies from the anomalies table.
- Select Explore > Anomalies to open the Anomalies Table.
- Filter the anomalies to show only those you want to delete. For example, change the time selection and add a User Types filter of Accounts to show only account-based anomalies created more than 30 days ago.
- Click Actions > Delete Selected to delete all the anomalies shown.
- The number of anomalies being deleted appears in parentheses. Verify that this number does not exceed the anomaly action limits. See, Limits for anomaly actions in Splunk UBA.
- Select Delete Permanently.
- Click OK to confirm that you want to delete the anomalies.
After you delete an anomaly in this way, you cannot restore it.
View and restore anomalies in the trash
You can view and restore anomalies in the trash, if they were deleted by accident or based on investigation details that are no longer accurate. After you delete anomalies, threats created by those anomalies can change or disappear. Similarly, after restoring deleted anomalies, new threats can be created or existing threats can change. User risk scores are also directly affected by deleting or restoring anomalies. See Splunk UBA adjusts threats after you take action on anomalies.
Perform the following steps to review anomalies sent to the trash and restore anomalies sent to the trash in error from the Anomalies Trash view of the Anomalies Table:
- Select Explore > Anomalies.
- Select Actions > View Anomalies Trash.
- To restore all anomalies previously sent to the trash, select Actions > Restore Anomalies.
- To restore a selection of the anomalies previously sent to the trash, apply additional filters then select Actions > Restore Anomalies.
- To restore a single anomaly sent to the trash, click the name to open the Anomaly Details view and select Restore from that view.
If necessary, you can review the IDs of permanently deleted anomalies in the /var/log/caspida/ruleengine/realtimeruleexecutor.log
log file.
If you export anomalies to another system, such as Splunk Enterprise Security, an analyst can open a link to a deleted anomaly or an anomaly in the trash. You can still view and restore anomalies that have been sent to the trash, but you cannot review anomalies that have been permanently deleted. Following a link to a permanently deleted anomaly displays an error of "The requested anomaly could not be found".
Splunk UBA cleans up old anomalies in the trash
The AnomalyPurger runs daily after midnight, and removes all anomalies that were last updated more than 90 days ago. For example, if you move an anomaly to the trash that has not been updated for 100 days, that anomaly is removed from Splunk UBA at midnight the same day.
Perform the following tasks to modify this configuration as needed:
- Log in to the Splunk UBA management node as the caspida user.
- Edit the
/etc/caspida/local/conf/uba-site.properties
file. - Configure the
persistence.anomalies.trashed.maintain.days
to set the number of days that inactive anomalies should remain in the system. The default is 90 days. - When the AnomalyPurger process runs, batches of 300K anomalies are removed from the trash until all anomalies in the trash are removed. Configure the
persistence.anomalies.trashed.del.limit
property to change the batch size as desired. - Save and exit the
/etc/caspida/local/conf/uba-site.properties
file. - In distributed deployments, synchronize the cluster.
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
Review current user activity | Close threats in Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!