Welcome to Splunk UBA 5.4.0
Splunk UBA 5.4.0 is a major release. See About Splunk User Behavior Analytics and release types for more information about the different types of Splunk UBA releases.
If you are new to Splunk UBA, review all the steps in the Splunk UBA installation checklist before installing Splunk UBA.
Splunk UBA version 5.3.0 and higher mean the End of Support for UBA 5.0.x versions. For more information, see the Splunk Software Support Policy
Planning to upgrade from an earlier version?
If you plan to upgrade to this version from an earlier version of Splunk UBA, read the following documents before you get started:
- See Upgrade Splunk UBA prerequisites and overview in the Install and Upgrade Splunk user Behavior Analytics manual for information you need to know before you upgrade.
- Splunk UBA requires incremental upgrades from earlier versions. See How to install or upgrade to this release of Splunk UBA in the Install and Upgrade Splunk User Behavior Analytics manual for upgrade path information.
What's new in 5.4.0
Splunk UBA version 5.4.0 includes the following features and changes:
| Feature, enhancement, or change | Description |
|---|---|
| Operating System updates: | The 5.4.0 release supports the following operating systems:
The 5.4.0 AMI install package is available shortly after GA for AWS environments. For more information, see Operating system requirements in the Install and Upgrade Splunk User Behavior Analytics manual. |
| Sending anomalies, threats, and audit events to Splunk ES | UBA now uses the HTTP Event Collector (HEC) to send events to the Splunk platform, and no longer uses the TCP inputs.conf stanza.The following changes apply to Splunk UBA version 5.4.0 and higher:
For more details, see Send Splunk UBA anomalies and threats to Splunk ES as notable events and Send Splunk UBA audit events to Splunk ES. |
| Splunk Enterprise Security Risk Based Alerting enhancements | Splunk UBA can now directly create and send risk events to Splunk Enterprise Security (ES). UBA version 5.4.0 and higher uses the Splunk HTTP Event Collector (HEC) rather than correlation searches.
See the the "Send risk events and turn off UBA Correlation Searches in ES" option in Add an output connector in Splunk UBA in the Send and Receive Data from the Splunk Platform manual. |
| Networking requirements changes | Open the HTTP Event Collector (HEC) port to send events from Splunk UBA to the Splunk Platform. See Splunk platform port requirements in the Install and Upgrade Splunk User Behavior Analytics manual. |
| FIPS compliance | Federal Information Processing Standard (FIPS) compliance is available with Splunk UBA version 5.4.0 and higher. Complete the steps to turn FIPS on during the install or upgrade process, on each Splunk UBA node.
For details, see the "Turn on FIPS compliance" section on the install or upgrade documentation for your Splunk UBA instance: Turning on FIPS compliance must occur at a specific stage of the UBA install or upgrade process.
|
| Usage Data collection | Changes have been made to what anonymized data Splunk User Behavior Analytics as deployed on Splunk Enterprise sends Splunk Inc. For details, see Share data in Splunk UBA. |
| Windows XML Events onboarding enhancements | There is a new way to get Windows XML events into UBA. See Use the Splunk Raw Events connector to get XML Windows events into Splunk UBA in the Get Data into Splunk User Behavior Analytics manual. |
| Windows Powershell Events processing enhancements | Processing is improved for Windows Powershell Events in both Multiline and EVTX formats for the Splunk Raw Events connector type. Enhancements in processing apply to the Event IDs 4103, 4104, and 4688. |
| False Positive Suppression Model | A new offline batch model is now available. See the False Positive Suppression Model in the Use Splunk User Behavior Analytics manual. |
| Rare Events Model Scaling | Introduction of a new parameter to address potential memory usage issues during Rare Event Model execution. See Rare Events Model Scaling in the Use Splunk User Behavior Analytics manual. |
| Time-series model enhancements | Splunk UBA time-series models, including the Unusual Volume of File Access Related Events per User Model, have been enhanced for version 5.4.0. Enhancements include bugs fixes and performance improvements. Model execution time, max shuffle reads and writes, and max disk and memory spills have all been addressed. See Available time-series models in the Use Splunk User Behavior Analytics manual. |
| Batch model enhancements | Splunk UBA batch models, including the Account Exfiltration and Device Exfiltration models, have been enhanced for version 5.4.0. Enhancements include bugs fixes and performance improvements. Model execution time, max shuffle reads and writes, and max disk and memory spills have all been addressed. See Account Exfiltration Model and Device Exfiltration Model in the Use Splunk User Behavior Analytics manual. |
| New blog post | A new blog post has been published. See Building At-Scale User Behavior Analytics for Splunk UBA: Enhance Performance of Account & Device Exfiltration Models. |
Splunk UBA external dependencies
You can download a PDF file listing the external dependencies required to install Splunk UBA:
Do not independently upgrade the following UBA-dependent components to avoid impacting UBA operations:
dockerhadoophiveimpalainfluxdbkafkakubernetesnodejsopenjdkpostgresqlprotobufredissparkzookeeper
| Known issues in Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.4.0
Download manual
Feedback submitted, thanks!