Splunk® User Behavior Analytics

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Welcome to Splunk UBA 5.2.0

Splunk UBA 5.2.0 is a major release. See About Splunk User Behavior Analytics and release types for more information about the different types of Splunk UBA releases.

If you are new to Splunk UBA, review all the steps in the Splunk UBA installation checklist before installing Splunk UBA.

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk UBA, read the following documents before you get started:

What's new in 5.2.0

Splunk UBA version 5.2.0 includes the following features and changes:

Feature, enhancement, or change Description
Operating System updates: The 5.2.0 release provides the following operating system updates:
  • Support for Ubuntu version 20.04 (new installations and upgrades).
  • Support for RHEL version 8.6 (new installations and upgrades).
  • Support for Oracle/Linux version 8.7 (new installations and upgrades).

The 5.2.0 AMI package will be available shortly after GA for AWS environments.

For more information, see Operating system requirements in the Install and Upgrade Splunk User Behavior Analytics manual.

Bulk upload users to User Watchlists You can now add users in bulk to a User Watchlist. See, Add bulk users to a User Watchlist.
Allow/ Deny List improvement You can now enter individual entries within the Allow/Deny by adding values using the Splunk UBA user interface. See, Add new entries to a deny list or allow list.
Delete multiple threats of a certain type based on the score The clean_threats.sh script can be used to clean up old threats. See, How to delete multiple threats of a certain type based on the score.
Malware Threat model re-enabled The Hypergraph based Malware Threat Detection Model that was disabled in version 5.1.0 is re-enabled in version 5.2.0.
Removal of biased language As part of an ongoing process across releases, user-interface mentions of the terms "blacklist" and "whitelist" are changed as follows:
  • The term "blacklist" has changed to "deny list".
  • The term "whitelist" has changed to "allow list".

For more information, see Biased Language Has No Place in Tech

Splunk UBA external dependencies

You can download a PDF file listing the external dependencies required to install Splunk UBA:

Do not independently upgrade the following UBA-dependent components to avoid impacting UBA operations:

  • docker
  • hadoop
  • hive
  • impala
  • influxdb
  • kafka
  • kubernetes
  • nodejs
  • openjdk
  • postgresql
  • protobuf
  • redis
  • spark
  • zookeeper
Last modified on 23 August, 2023
  NEXT
Known issues in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.2.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters