Which data sources do I need?
Before adding data sources to Splunk UBA, review the tables to find which data source types you might need to unlock desired use cases and detections.
- Required data sources for Splunk UBA to identify users and devices
- Data sources for Splunk UBA to perform identity resolution
- Data source types for use cases in Splunk UBA
- Data source types for model-based anomalies in Splunk UBA
- Data source types for rule-based anomalies in Splunk UBA
Required data sources for Splunk UBA to identify users and devices
Human resources (HR) data and assets data are required for Splunk UBA to generate high-fidelity anomalies and threats.
| Data Source | How does Splunk UBA use this data? |
|---|---|
| HR data from your HR system | HR data is required and must be the first data source ingested in Splunk UBA. HR data contains information about the accounts being tracked by Splunk UBA. HR data is required by Splunk UBA to identify accounts and categorize account types, then associate each account with a human user. See Why Splunk UBA requires HR data for more information. |
| Assets data from your configuration management database (CMDB), Splunk Enterprise Security (ES), or Active Directory (AD) | Assets data is required and must be the second data source onboarded, immediately after HR data. Assets data contains information about the devices in your environment. Assets data is required by Splunk UBA to track the behavior of assets in your system, display additional metadata for known entities, and allow denylisting of devices that should not be associated with users. Splunk UBA requires assets data with DNS to properly perform device identify resolution. See Identify assets in your environment for more information. |
See Ingest HR data and assets data using a dedicated source type for information about how to ingest these data sources.
Data sources for Splunk UBA to perform identity resolution
Splunk UBA performs identity resolution to find the real-time associations between IP addresses, host names, and users. Splunk UBA maintains these associations over time and also allows you to prevent anomalies from being generated for specific users and devices. See Exclude identity resolution for devices or users for more information.
The most accurate identity resolution is achieved by having all of the data sources in the table, and you must have at least one. The absence of a data source, such as DNS, does not prevent Splunk UBA from performing identity resolution, but can affect whether or not entities are properly mapped or whether the mappings are maintained over time.
Splunk UBA uses the following data sources to perform identity resolution:
| Data Source | How does Splunk UBA use this data? |
|---|---|
| Authentication | Splunk uses login events in authentication data to perform the following entity mappings:
|
| DNS | Splunk UBA uses DNS query response data to map IP addresses to hostnames. |
| DHCP | Splunk UBA uses log entries from new, renewed, or released leases to perform the following mappings:
|
| VPN | Splunk UBA uses login and logout events in VPN data to map IP addresses to users. |
See Which connector should I use for a particular data source? for information about how to ingest each data source.
Data sources for authentication in Splunk UBA
Splunk UBA uses Windows Active Directory (AD) events for authentication. See the following table for the supported events:
| Event ID | Description |
|---|---|
| 4663 | An attempt was made to access an object. |
| 4672 | Special privileges assigned to new logon. |
| 4673 | A privilege service was called. |
| 4698 | A scheduled task was created. |
| 4768 | A Kerberos authentication ticket (TGT) was requested. |
| 4769 | A Kerberos service ticket was requested. |
| 4776 | The computer attempted to validate the credentials for an account. |
| 5140 | A network share object was accessed. |
| 5142 | A network share object was added. |
| 5144 | A network share object was deleted. |
| 5145 | A network share object was checked to see whether client can be granted desired access. |
| 5156 | The Windows Filtering Platform has allowed a connection. |
| 5379 | Credential Manager credentials were read. |
| 7045 | A new service was installed in the system. |
| 8222 | Shadow copy has been created. |
Data source types for use cases in Splunk UBA
After the required data sources are in Splunk UBA, ingest additional data sources to unlock detections for a variety of use cases in Splunk UBA. Splunk UBA provides the following use cases by default.
| Splunk UBA Use Case | Description | Typical Contributing Factors and Data Sources |
|---|---|---|
| Account Misuse | Accidental misuse and deliberate abuse of superuser privileges yield critical compliance and privacy risks with potentially severe financial consequences and damage to your company's reputation. Splunk UBA baselines the regular behavior of each accounts and identifies abnormalities that might indicate excessive usage, rare access, potential sabotage, or covering tracks. Splunk UBA's confidence grows as a user's activity deviates from the user's peer group profile and the enterprise profile. The higher the confidence, the higher the risk. Examples of such detections include using service accounts to do VPN or interactive logins, data snooping, deleting audit logs, and accessing confidential information. | Data sources such as:
|
| Compromised User Account | Splunk UBA identifies situations where user credentials have been stolen and are being used by someone other than the authorized human user or application. This use case can also detect shared account usage and generic account abuse. Splunk UBA uses behavior modeling to identify any deviation of user activity from normal thereby indicating that someone other than the legitimate owner is operating the account. Detection encompasses identifying unusual or malicious AD activity such as operations on self, terminated users, disabled accounts, and account recovery. | Data sources such as:
|
| Compromised and Infected Machine | Splunk UBA can identify compromised network endpoints that are infected by malware or are otherwise behaving suspiciously. This differs from the Compromised User Account use case in that malicious activity might be detected on a host but not necessarily linked to a specific user account. For example, command and control traffic can be identified from a system where no user is currently logged in. Behavior-based modeling enables Splunk UBA to identify malware activity irrespective of the delivery mechanism of initial infection. The detection techniques include tracking changes in communication patterns of devices, the nature of communication with external domains or IPs, or characteristics of the domains. | Data sources such as:
|
| Contextual Intelligence | Splunk UBA learns a lot about users and entities in the organization to identify anomalies that could be linked to threats. This information is extremely useful for analysts performing alert triage and incident investigations. For example, if an analyst suspects that an endpoint has been compromised, the analyst can use Splunk UBA to learn about that desktop's users, their regular behavior, and even the role of that endpoint in the network. For example, is the endpoint a server or a workstation, and is it used for system administration or business functions? | Identity resolution, device profiler models, and data sources such as: |
| Data Exfiltration | Unauthorized or malicious data exfiltration can occur even by action of authorized users. As a result, this use case is focused on identifying this type of activity, which is necessary even when the ability to detect compromised accounts and endpoints is in place. Splunk UBA detects loss or theft of private and confidential data out of enterprise across multiple threat vectors such as network security infrastructure including firewall and proxies, online cloud storage, attached storage including USB devices, and email. | Data sources such as: |
| Lateral Movement | Lateral movement involves a trusted insider scanning and expanding access across multiple resources. Detection techniques such as rare access or expanding resource usage are used to identify lateral movement. Resources here can be machines, network file shares, box folders etc. Accesses can either be network scans, brute force logins or legitimate logins. | Data sources such as:
|
| Suspicious Behavior / Unknown Threats | In cases when there are not enough pre-defined signatures or correlations to cover some scenarios, Splunk UBA can effectively identify unknown scenarios by identifying anomalies based on deviations in the user or device activity in comparison with self or peer group baselines, suspicious or malicious activity, and alerts from external tools and correlating them into a threat. These suspicious account activities and unknown threats often demand further investigation and can lead to other potential threats such as malvertising, account compromise, account misuse, policy violations, or misconfiguration. The Suspicious Behavior / Unknown Threats use case is often used for content building. When an unknown scenario is detected, the scenario can be written into correlation search or threat rules for deterministic detection. | A combination of high scores or large number of anomalies associated with entities. |
Data mapping for model-based anomalies in Splunk UBA
Before adding data sources to Splunk UBA, review this table to find which types of anomalies can be generated for certain types of data. Click on a column header to sort the table by that column topic.
Anomaly rules typically have underscore characters in their names, while models do not. For example:
- audit_log_cleared is an anomaly rule
- Unusual Volume of Bytes Written to USB per User Model is an anomaly model
Data entering Splunk UBA is tagged with a view, which is sort of like a category in terms of how Splunk UBA interprets the data. For example, a network event from your CIM compliant IDS/IPS logs is tagged with the Network view by Splunk UBA. See Understand data flow in Splunk UBA.
The value of the specific destination device in this event can be extracted by Splunk UBA's rules and models using view.Network.DestinationDevice. This table identifies the specific fields whose values are used by Splunk UBA's anomaly rules and models to generate anomalies. See Understanding Splunk UBA data cubes in Develop Custom Content in Splunk User Behavior Analytics for more information about extracting the values of specific fields.
| Anomaly | Model | Data Sources | View | Cube | Fields and Filters |
|---|---|---|---|---|---|
| Anomalous USB Activity | Unusual Volume of Bytes Written to USB per User Model | DLP |
DLP | dlpsummary_s | view.*.user view.*.user.uuid Filter: |
| Unusual Volume of File Operations to USB per User Model | DLP |
DLP | dlpsummary_s | numEvents view.*.user Filter: | |
| Denylisted Application | Fixed Patterns in Network Traffic Model | Firewall | AD | N/A | view.HTTP.getURL view.Network.getDestinationDevice Filter: |
| Denylisted Domain | Denylisted Entity Model | HTTP |
DNS HTTP Network |
semiaggr_s | view.*.user.id view.*.user.name Filter: |
| Denylisted IP Address | Denylisted Entity Model | Network IDS/IPS | DNS HTTP Network |
semiaggr_s | |
| Download From Internal Server | Unusual Volume of Data Downloaded from Internal Server Per User Model | Firewall | Firewall | semiaggr_s | view.*.source.isPermanent view.*.user Filter: |
| Excessive Box Downloads | Unusual Volume of Box Downloads per User Model | Cloud Data | CloudData | fileaccess_s | event.eventClass event.format Filter: |
| Excessive Data Printed | Unusual Volume of Data Printer per User Model | Printer | Printer | printerdata | view.*.User view.*.User.uuid |
| Excessive Data Transmission | Unusual Volume of Data Uploaded per User Model | Network IDS/IPS |
Firewall | semiaggr_s | view.*.user view.*.user.uuid Filter: |
| Unusual Volume of Data Uploaded per User Model (uses Connection Profiling) | Network IDS/IPS |
Firewall | semiaggr_s | view.*.user view.*.user.uuid Filter: | |
| Unusual Volume of Data Uploaded per Device Model | Network IDS/IPS |
Firewall | semiaggr_s | view.*.source view.*.source.isPermanent Filter: | |
| Unusual Volume of Data Uploaded per Device Model (uses Connection Profiling) | Network IDS/IPS |
Firewall | semiaggr_s | view.*.source view.*.source.isPermanent Filter: | |
| Excessive Database Administration Tasks | Unusual Volume of Admin commands per User Model | Database | Database | databasesummary | numEvents view.database.commandName Filter: |
| Excessive Database Help Actions | Unusual Volume of Help commands per User Model | Database | Database | databasesummary | numEvents view.database.commandName Filter: |
| Excessive Database Permission Grants | Unusual Volume of Grants per User Model | Database | Database | databasesummary | numEvents view.database.commandName Filter: |
| Excessive Database Records Deleted | Unusual Volume of Database Records Deleted per User Model | Database | Database | databasesummary | view.database.commandName view.database.databaseUser Filter: |
| Excessive Database Records Modified | Unusual Volume of Database Records Modified per User Model | Database | Database | databasesummary | view.database.commandName view.database.databaseUser Filter: |
| Excessive Database Records Read | Unusual Volume of Database Records Read per User Model | Database | Database | databasesummary | view.database.commandName view.database.databaseUser Filter: |
| Excessive Downloads via VPN | Unusual Volume of VPN Traffic per User Model | VPN | Network | semiaggr_s | view.*.user view.*.user.uuid Filter: |
| Excessive File Size Change | Excessive File Size Change Model | Cloud Data |
CloudData | fileaccess_s | view.*.srcUser.name view.*.srcUser.id |
| External Alarm Activity. See About the External Alarm and External Alarm Activity anomalies in Splunk UBA for more information. | External Alarm Analysis Model | External Alarm | ExternalAlarm | externalalarms | event.eventClass view.*.riskClassification |
| External Website Attack | Suspicious Patterns in Incoming Web Traffic Model | HTTP | Network | N/A | view.Network.source.{name, scope} view.Network.destination.{name, scope} Filter: |
| Land Speed Violation | Land Speed Violation Model | Authentication | Authentication | N/A | view.Network.source.{name, scope} view.Network.destination.{name, scope} Filter: |
| Machine Generated Beacon | Web Beaconing Detection Model | HTTP | AD | windowsevents | view.HTTP.URL view.HTTP.URL.Host Filter: |
| Malicious AD Activity | Fixed Patterns in Microsoft Windows Logs Model | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | N/A | event.getToken("evid") view.*.user Filter: |
| Multiple Authentication Errors | Unusual Volume of Authentication Failure Events per User Model | Authentication | Authentication | authenticationevents | view.*.user view.*.user.uuid Filter: |
| Multiple Authentications | Unusual Volume of Authentication Events per User Model | Authentication | Authentication | authenticationevents | event.eventClass view.*.user Filter: |
| Multiple Badge Accesses | Unusual Volume of Badge Accesses per User Model | Badge Access | BadgeAccess | badgeaccess | numEvents view.*.user |
| Multiple Box Login Errors | Unusual Volume of Box Login Failure Events per User Model | Cloud Data | CloudData | semiaggr_s | event.eventClass event.format Filter: |
| Multiple Box Logins | Unusual Volume of Box Login Events per User Model | Cloud Data | CloudData | semiaggr_s | event.eventClass event.format Filter: |
| Multiple Box Operations | Unusual Volume of Box Events per User Model | Cloud Data | CloudData | fileaccess_s | event.eventClass event.format Filter: |
| Multiple External Alarms | Unusual Volume of External Alarms per Device Model | External Alarm | ExternalAlarm | externalalarm | numEvents view.*.riskClassification Filter: |
| Multiple File Operations | Unusual Volume of File Access Related Events per User Model | Cloud Data | CloudData | fileaccess_s | event.eventClass view.*.resource.fileName |
| Multiple Login Errors | Unusual Volume of Failed Login Events per User Model | Authentication | Authentication | authenticationevents | view.*.user view.*.user.uuid Filter: |
| Multiple Logins | Unusual Volume of VPN login Events per User Model | Authentication | Authentication | authenticationevents | view.*.user view.*.user.uuid Filter: |
| Multiple Outgoing Connections | Unusual Volume of Outgoing Connections per Device Model | Firewall | numEvents view.*.source Filter: | ||
| Unusual Volume of Outgoing Connections per User Model | Firewall | numEvents view.*.user Filter: | |||
| Multiple Sessions Denial | Unusual Volume of Blocked Connections per User Model | Firewall | numEvents view.*.externalAction Filter: | ||
| Unusual Volume of Blocked Connections per Device Model | Firewall | numEvents view.*.externalAction Filter: | |||
| Period with Unusual Windows Security Event Sequences | Active Directory Markov-Chain Correlation Model | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | AdPstIOC AdPstModelReady |
|
| Potential Data Staging | Unusual Volume of Data Uploaded to DMZ Devices per User Model | External Alarm |
view.*.source.isPermanent view.*.user Filter: | ||
| Potential Webshell Activity | Web Shell Model | HTTP | HTTP | N/A | view.HTTP.URL.Host view.HTTP.URL.Name Filter: |
| Scanning Activity | Network Scanning Detection Model | Firewall | Network | semiaggr_s | |
| Suspicious Account Lockout | Suspicious Account Lockout Model | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | view.ad.targetAccount view.ad.eventClass Filter: |
| Suspicious Data Access | Box Pattern Model | Cloud Data |
CloudData | fileaccess_s | view.*.srcUser event.eventClass |
| O365 File Access Pattern Model | Cloud Data |
CloudData | fileaccess_s | view.*.srcUser event.eventClass | |
| Suspicious Data Movement | Device Exfiltration Model | Firewall | Firewall | semiaggr_s | view.*.application view.firewall.destinationZone Filter: |
| User Exfiltration Model | Firewall | Firewall | semiaggr_s | view.*.application view.network.destination.country Filter: | |
| Suspicious Domain Communication | Malware Communication Model | Firewall |
Firewall HTTP DNS External Alarm |
N/A | view.DNS.Query view.HTTP.URL.Host Filter: |
| Suspicious Domain Name | Malware Communication Model | HTTP |
HTTP DNS |
N/A | view.DNS.Query view.HTTP.URL.Host Filter: |
| Suspicious Email | Suspicious Email Detection Model | emailsummary | view.email.sender view.email.senderDomain | ||
| Suspicious HTTP Redirects | Browser Exploitation Model | HTTP | HTTP | N/A | |
| Suspicious Network Connection | Network Transport Model | Network IDS/IPS | Everything from the Network view | N/A | None |
| Suspicious Network Exploration | Users Increasing Device Access Model | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | view.ad.eventId view.authentication.logonProcess Filter: |
| Suspicious New Access | New Access Model for Box | Cloud Data | CloudData | fileaccess_s | view.Data.*.srcUser view.Data.*.destUser Filter: |
| Suspicious Powershell Activity | Powershell Detection Offline Model | AD (Windows Security Events). See Add Windows events to Splunk UBA. | Network | PowerShellEvent | Filter: RarePowershellIOC.ProcessName contains "powershell" |
| Suspicious Privilege Escalation | Suspicious Privilege Escalation Model | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | view.ad.targetAccount view.ad.sourceAccount Filter: |
| Unusual Activity Time | Unusual Per Day Activity Time Model, Unusual Per Week Activity Time Model | Authentication |
Authentication | N/A | event.TimeInMilliSeconds event.getAnyUser Filter: |
| Unusual Application Scope | Rare Egress Application Model | External Alarm |
Firewall | semiaggr_s | view.network.source.scope view.firewall.possibleServerPort Filter: |
| Unusual Database Activity | Rare Database Activity Model | Database | Database | databasesummary | Everything from the Database view |
| Unusual Entry Type Badge Reader Access | Rare Badge Reader Access Model | Badge Access | BadgeAccess | badgeaccess | |
| Unusual Error | Rare Microsoft Windows Events Model | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | |
| Unusual Event | Rare Microsoft Windows Events Model | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | |
| Unusual External Alarm | Rare External Alarms Model | External Alarm | ExternalAlarm | externalalarms | Everything from the External Alarm view. Filter: |
| Unusual File Access | Rare File Access Model | Cloud Data |
CloudData | fileaccess_s | event.eventClass view.event.application |
| Unusual Firewall Alarm | Frequent Pattern Mining of Firewall Alarms | Firewall | ExternalAlarm | semiaggr_s | view.*.source.uuid view.*.source.scope Filter: |
| Unusual Geolocation of Communication Destination | Rare Destination IP Geolocation Model | VPN | Firewall | semiaggr_s | |
| Unusual Login Domain | Rare Microsoft Windows Device Access Model Using Login Data | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | |
| Unusual Login Error | Rare Microsoft Windows Device Access Model Using Login Data | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | |
| Unusual Login Process | Rare Microsoft Windows Device Access Model Using Login Data | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | |
| Unusual Login Type | Rare Microsoft Windows Device Access Model Using Login Data | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | |
| Unusual Machine Access | Rare Microsoft Windows Device Access Model Using Login Data | Authentication |
AD | windowsevents | view.ad.targetAccount.accountName view.authentication.loginType |
| Rare Microsoft Windows Device Access Model Using Authentication Data | Authentication |
AD | windowsevents | view.ad.targetAccount.accountName view.ad.returnCode | |
| Unusual Network Activity | Rare Port for Application Model | Firewall | Firewall | remodelfeatures | view.firewall.possibleServerPort view.firewall.application Filter: |
| Rare Destination IP Geolocation Model | Network IDS/IPS | Firewall | semiaggr_s | view.network.destination.country view.network.user Filter: | |
| Unusual Network Activity | Rare Port for Application Model | Firewall | Firewall | remodelfeatures | |
| Unusual Network Application | Rare Port for Application Model | Firewall | Firewall | remodelfeatures | |
| Unusual Network Port | Rare Port for Application Model | Firewall | Firewall | remodelfeatures | |
| Unusual Network Zone | Rare Port for Application Model | Firewall | Firewall | remodelfeatures | |
| Unusual Process or Process Path | Rare Microsoft Windows Events Model | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | |
| Unusual Resource Type | Rare Microsoft Windows Events Model | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | |
| Unusual Time of Badge Access | Unusual Time of Badge Access Model | Badge Access | BadgeAccess | badgeaccess | |
| Unusual USB Activity | USB Activity Model | Endpoint |
DLP | dlpsummary_s | view.*.endpoint view.*.user Filter: |
| Unusual VPN Connection Sources | Unusual Change in Ratio of Users per Remote Source in Successful VPN Authentication Events | Authentication Cloud Data |
Authentication Network |
authenticationEvents | view.network.server.uuid view.network.server Filter: |
| Unusual VPN Login Geolocation | Rare VPN Login Location Model | Authentication |
Firewall | semiaggr_s | view.authentication.source.country view.authentication.user Filter: |
| Unusual Web Browser | Rare User Agent String Model | HTTP | HTTP | httpsummary_s | view.http.userAgentString view.http.clientIp Filter: |
| Unusual Windows Security Event | Rare Microsoft Windows Events Model | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | view.ad.processName view.ad.eventClass Filter: |
| Unusually Long VPN Session | Unusual VPN Duration Model | VPN | Network | semiaggr_s |
Data mapping for rule-based anomalies in Splunk UBA
| Anomaly | Rule | Data Sources | View | Cube | Fields and Filters |
|---|---|---|---|---|---|
| AD Audit Log Cleared | audit_log_cleared | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | semiaggr_s | eventId |
| AD Recovery Account | ad_recovery_account | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | semiaggr_s | N/A |
| Admin Change to Self | admin_changes_on_self | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | semiaggr_s | eventId targetuser |
| AmplificationDOS | amplification_dos_pan | Firewall | Firewall | semiaggr_s | destination bytesin |
| Confidential Print | potential_confidential_documents_printed | Printer | Printer | printerdata | fileName |
| Disabled Account Activity | disabled_account_activity | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | eventId substatus |
| DLP Changed Name | dlp_changed_name | DLP | DLP | dlpsummary_s | sourcefile destinationfile |
| DLP File Access Peer | pga_fileaccess | DLP | DLP | dlpsummary_s | sourcefile |
| DLP FIle Multiple Vectors | dlp_source_multiple_types | DLP | DLP | dlpsummary_s | eventTypeId |
| DLP Multiple Files | dlp_multiple_sourcefile | DLP | DLP | dlpsummary_s | sourcefile |
| DLP Multiple Vectors | dlp_multiple_types | DLP | DLP | dlpsummary_s | eventTypeId |
| DLP Print Violations | dlp_print_multiple_policy | DLP | DLP | dlpsummary_s | eventTypeId policy |
| DLP Social and Credit | dlp_ssn_and_cc | DLP | DLP | dlpsummary_s | sourcefile |
| DLP Unusual Vector Peer | pga_dlptype | DLP | DLP | dlpsummary_s | N/A |
| DLP Web Personal | dlp_web_personal | DLP | DLP | dlpsummary_s | destinationpath |
| Email Attachment Size | data_transfer_over_email | emailsummary | attachmentSize | ||
| Email to Competitor | email_to_competitor | emailsummary | N/A | ||
| Email to Self | email_to_self | emailsummary | N/A | ||
| Failed Badge Accesses on Multiple Doors | Failed_Badge_Entry_Multiple_Doors | Badge Access | BadgeAccess | badgeaccess | objectName |
| High DLP Matches | daily_user_dlpmatches_anomaly | DLP | DLP | dlpsummary_s | matches |
| High File Writes | daily_user_dlp_file_transfer_anomaly | DLP | DLP | dlpsummary_s | destinationfile |
| High Print Job Count | daily_user_prints_anomaly | Printer | Printer | printerdata | eventTypeId |
| High Print Jobs Peer | pga_number_of_print_jobs | Printer | Printer | printerdata | N/A |
| High Printer Usage Peer | pga_number_of_pages | Printer | Printer | printerdata | totalPages |
| High USB Bytes | daily_user_usb_data_transfer_anomaly | DLP | DLP | semiaggr_s | deviceType internalaction |
| High USB Denials | daily_user_usb_denies_anomaly | DLP | DLP | semiaggr_s | devicetype internalaction |
| High USB Writes | daily_user_usb_file_write_anomaly | DLP | DLP | semiaggr_s | deviceType internalaction |
| Host Data Deletion | csendpoint_high_datadeleton | Firewall | Firewall | semiaggr_s | N/A |
| Host Infection | csendpoint_high_infection | Firewall | Firewall | semiaggr_s | N/A |
| Host Lateral Movement | csendpoint_high_lateralmovement | Firewall | Firewall | semiaggr_s | N/A |
| HTTP Denylisted Domain | download_from_suspicious_blacklisted_domain | HTTP | HTTP | httpsummary_s | applicationtype (URL Category) bytesout |
| HTTP Exfiltration Domain | http_transfer_to_storage_site | HTTP | HTTP | httpsummary_s | applicationtype (URL Category) bytesout |
| HTTP Job Domain | job_search_proxy | HTTP | HTTP | httpsummary_s | applicationtype (URL Category) |
| HTTP Malware Domain | downlaod_from_suspicious_infection_domain | HTTP | HTTP | httpsummary_s | applicationtype (URL Category) bytesout |
| HTTP Phishing Domain | download_from_suspicious_credentialacces_domain | HTTP | HTTP | httpsummary_s | applicationtype (URL Category) bytesout |
| HTTP Policy Domain | download_from_suspicious_policyviolation_domain | HTTP | HTTP | httpsummary_s | applicationtype (URL Category) bytesout |
| HTTP Proxy Domain | usage_of_proxy_anonymizer | HTTP | HTTP | httpsummary_s | applicationtype (URL Category) bytesout |
| Local Account Created | local_account_creation | Windows Security Events (AD), Windows Security Events (Workstation) | AD | windowsevents | ComputerName AccountDomain |
| Multiple Failed Entry Attempts | disabled_badge_access | Badge Access | BadgeAccess | badgeaccess | objectName |
| Multiple Password Resets | password_policy_circumvention | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | N/A |
| Multiple Users Failed Access | failed_access_multiple_users | Badge Access | BadgeAccess | badgeaccess | objectName |
| New AD Account | new_account_detected2 | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | semiaggr_s | N/A |
| PAN Evasion Domain | suspicious_defenseevasion_uri_pan | Firewall | Firewall | semiaggr_s | category |
| PAN High Risk Domain | suspicious_policyviolation_uri_pan | Firewall | Firewall | semiaggr_s | category |
| PAN Job Search | job_search_pan | Firewall | Firewall | semiaggr_s | category |
| PAN Malware Domain | malicious_infection_uri_pan | Firewall | Firewall | semiaggr_s | category |
| PAN Phishing Domain | malicious_credentialaccess_uri_pan | Firewall | Firewall | semiaggr_s | category |
| PAN Unwanted Domain | suspicious_blacklisted_uri_pan | Firewall | Firewall | semiaggr_s | category |
| Print Unusual Extension Peer | pga_file_extension_printed | Printer | Printer | printerdata | fileName |
| Resume Sent | email_resume | emailsummary | hasAttachments subject | ||
| Service Account AD | service_account_login_ad | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | semiaggr_s | N/A |
| Service Account VPN | service_account_login_vpn | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | semiaggr_s | N/A |
| Short Lived Account | account_creation_deletion_in_short_span | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | semiaggr_s | eventid username |
| Short Lived Security Membership | member_added_removed_in_short_span | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | semiaggr_s | N/A |
| Targeted Group Phishing | spear_phishing | emailsummary | evcls | ||
| Terminated Account Usage | terminated_user_activity | Any | Any | semiaggr_s | userstatus (from HR data) |
| Unauthorized Login Device | unauthorized_machine_login | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | N/A |
| Unauthorized Login Time | unauthorized_activity_time | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | N/A |
| Unauthorized Login Type | unauthorized_logintype | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | windowsevents | N/A |
| Unusual AD Event - Peer Group | pga_unusualadevent | AD (Windows Security Events). See Add Windows events to Splunk UBA. | AD | semiaggr_s | N/A |
| Unusual Cloud Storage Deletions | cloud_high_number_of_deletions | Cloud Data | CloudData | fileaccess_s | N/A |
| Unusual Cloud Storage Downloads | cloud_high_number_of_downloads | Cloud Data | CloudData | fileaccess_s | N/A |
| Unusual File Extension | cloud_unusual_fileextension_access | Cloud Data | CloudData | fileaccess_s | N/A |
| Unusual Printer Usage | potential_confidential_documents_printed | Printer | DLP | dlpsummary_s | |
| Unusual USB Device Plugged In | unusual_usb_plugin | DLP | DLP | semiaggr_s | deviceType internalaction |
| Unusual Web Protocol Exfiltration | suspicious_file_transfer | HTTP | HTTP | httpsummary_s | protocol applicationtype (URL Category) |
| USB Storage Attached an Unusually High Number of Times | multiple_usb_plugs | DLP | DLP | semiaggr_s | deviceid |
About the External Alarm and External Alarm Activity anomalies in Splunk UBA
In Splunk UBA releases earlier than 4.1, the External Alarm anomaly is raised when a notable event or external alarm category event from Splunk ES is ingested by Splunk UBA. In order for the anomaly to be triggered, the event's severity must be critical. The External Alarm anomaly was generated by a streaming model.
In Splunk UBA release 4.1 and later, the External Alarm anomaly is replaced by the External Alarm Activity anomaly. The External Alarm Activity anomaly is generated from the External Alarm Analysis Model offline model, and is triggered when the total number of notable events or external alarm category events from Splunk ES with a critical severity exceeds a certain threshold. You can view details for this anomaly in Data source types for model-based anomalies in Splunk UBA.
The External Alarm Activity uses alert grouping in both detection logic and presentation, meaning that there is not a one-to-one correspondence between the number of notable events and the number of External Alarm Activity anomalies for a user. For example, the Summary of external alarm activity panel on the Anomaly Details page for the External Alarm Activity anomaly might show that a user has only one External Alarm Activity anomaly associated with that user. Click on the event to expand the view and see that multiple External Alarm Activity anomalies are associated with that user.
Follow the instructions in Pull notable events from Splunk ES to Splunk UBA in the Send and Receive Data from the Splunk Platform manual to get notable events from Splunk ES to SplunK UBA.
| Use connectors to add data from the Splunk platform to Splunk UBA | Get data into Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.3.0, 5.4.0, 5.4.1
Download manual
Feedback submitted, thanks!