Send Splunk UBA audit events to Splunk ES
Send audit events from Splunk User Behavior Analytics (UBA) to Splunk Enterprise Security (ES) so that you can maintain a history of specific actions taken by analysts and hunters in Splunk UBA.
For example, if there is a need to re-examine a closed threat, you can use the audit history to determine which analyst closed the threat.
Perform the following tasks to send audit events to the Splunk platform to be added to the _audit
index:
- Add or set the uba.sys.audit.push.splunk.enabled property in Splunk UBA.
- Set up a search head or forwarder to receive data from Splunk UBA.
- Configure the Splunk platform to receive data from the Splunk UBA output connector.
The Splunk Add-on for UBA is not available for download on Splunkbase. The add-on is installed by default with Splunk Enterprise Security (ES). See How do I obtain the Splunk Add-on for Splunk UBA?
Add or set the uba.sys.audit.push.splunk.enabled property in Splunk UBA
Perform the following steps in Splunk UBA to enable audit logs to be sent to the Splunk platform:
- Set the
uba.sys.audit.push.splunk.enabled
property in the/etc/caspida/local/conf/uba-site.properties
file totrue
:uba.sys.audit.push.splunk.enabled=true
- Run the following command to synchronize the cluster:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
- Run the following commands to restart Caspida services:
/opt/caspida/bin/Caspida stop /opt/caspida/bin/Caspida start
Set up a search head or forwarder to receive data from Splunk UBA
You can choose to set up either a search head or a forwarder to receive data sent from Splunk UBA.
- In Splunk UBA release 4.3.0 and lower, you can send data only to a Splunk search head.
- In Splunk UBA release 4.3.1 and higher, you can send data to a Splunk search head or forwarder.
Perform the following steps to set up a search head to receive data from Splunk UBA:
- In Splunk Web, select Settings > Data Inputs.
- In the TCP row, click Add New.
- Enter 10008 in the Port field. This is the port configured to work with Splunk UBA.
Perform the following steps to set up a forwarder to receive data from Splunk UBA:
- Deploy the Splunk Add-on for Splunk UBA to the forwarder. See Deploy the Splunk Add-on for Splunk UBA.
- Configure the TCP input on the Splunk forwarder. See Get data from TCP and UDP ports in the Splunk Enterprise Getting Data In manual for information on how to configure a Splunk forwarder to receive a syslog input.
Configure the Splunk platform to receive data from the Splunk UBA output connector
The connection between Splunk UBA and the Splunk platform uses TCP-SSL by default. Set up the Splunk platform to accept the encrypted connection so that the Splunk platform can receive data from the Splunk UBA output connector.
Splunk Cloud Platform customers must work with Splunk Cloud Platform Support to set up this connection.
The following procedure uses the Splunk default certificates and the global [SSL]
stanza in the inputs.conf file. For better security, consider using your own certificates, or commercially signed certificates from a trusted certificate authority.
- See About securing Splunk Enterprise with SSL in the Splunk Enterprise Securing the Splunk Platform manual.
- See TCP: in the Splunk Enterprise Admin Manual for more information about configuring tcp-ssl using inputs.conf.
Steps on the Splunk Enterprise search head
Perform the following steps on the Splunk Enterprise search head. In a search head clustering environment, perform the changes on the search head that will receive UBA threats and anomalies:
- Create a
local
folder under$SPLUNK_HOME/etc/apps/Splunk_TA_ueba
. For example:cd /opt/splunk/etc/apps/Splunk_TA_ueba mkdir local cd local
- Create a file called inputs.conf and add the following stanza:
[tcp-ssl:10008] listenOnIPv6 = no index = ueba sourcetype = ueba serverCert = $SPLUNK_HOME/etc/auth/server.pem sslPassword = password
- Restart Splunk Enterprise.
- In Splunk Web, select System > Server controls.
- Click Restart Splunk.
- Verify that SSL is enabled for port 10008 in
$SPLUNK_HOME/var/log/splunk/splunkd.log
, as shown in the following examples:11-07-2019 15:07:42.661 -0800 INFO TcpInputProc - Creating raw Acceptor for IPv4 port 10008 with SSL
OR
02-28-2024 22:34:37.330 +0000 INFO TcpInputConfig [3996510 TcpListener] - IPv4 port 10008 is reserved for raw input (SSL)
- Copy the root CA certificate from
/opt/splunk/etc/auth/cacert.pem
on the Splunk Enterprise instance to/home/caspida
on the Splunk UBA management server.If you use your own third-party certificate, copy that certificate file to /home/caspida on the Splunk UBA management server. Do not copy the root CA certificate from /opt/splunk/etc/auth/cacert.pem on the Splunk Enterprise instance.
Steps on the Splunk UBA management server
Perform the following steps on the Splunk UBA management server:
- Log in to the Splunk UBA management server as the caspida user.
- Ensure that
$JAVA_HOME
is set correctly on your system. Run theCaspidaCommonEnv.sh
script to set this environment variable:. /opt/caspida/bin/CaspidaCommonEnv.sh
- Import the rootCA certificate to the Java certificate store.
If you use your own third party certificate, replace
~/cacert.pem
with that third party certificate in the following commands.On RHEL systems, use the following command:
sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -file ~/cacert.pem
On other Linux systems, use the following command:
sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/cacert.pem
- When prompted, type the keystore password and trust the certificate. The default keystore password is
changeit
. - From the command line of the Splunk UBA management server, view the
/etc/caspida/local/conf/uba-site.properties
file to confirm the following parameter is set to "true" as shown:
connectors.output.splunkes.ssl=true
- Restart Splunk UBA. Run the following commands on the Splunk UBA management server:
/opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all
Pull notable events from Splunk Enterprise Security to Splunk UBA | Send Splunk UBA user and device association data to Splunk ES |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0
Feedback submitted, thanks!