Splunk® Enterprise Security

Use Splunk Enterprise Security

Acrobat logo Download manual as PDF


Splunk Enterprise Security version 4.2.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Analyze Splunk UBA threats and anomalies in Splunk ES

Use the threats and anomalies identified by Splunk User Behavior Analytics alongside the correlation searches in Splunk Enterprise Security to gain further insight into your environment's security posture. First you need to set up your environment to Send UBA Threats and Anomalies to Splunk ES. To see both threats and anomalies in ES, you must have Splunk UBA version 2.1.2 or later.

After you complete the Splunk UBA and Splunk ES integration, you can investigate UBA threats and anomalies in ES.

View threats on Security Posture and Incident Review

Splunk UBA threats appear as notable events in Splunk ES. View a count of UBA threats as a UBA notables key security indicator on the Security Posture dashboard. From Security Posture you can see the specific notable events created by Splunk UBA threats on the Incident Review dashboard.

  • Expand the event details to see more about the Splunk UBA threat. The description, threat category, and correlation search reference UBA.
  • Use the event workflow actions to View Contributing Anomalies and open the Threat Details in Splunk UBA.

View anomalies on the UBA Anomalies dashboard

Use the UBA Anomalies dashboard to understand anomalous activity in your environment. To view the dashboard, select Advanced Threat > UBA Anomalies.

  • See how the count of various metrics have changed over the past 48 hours in your environment with the key indicators. Review the count of UBA notables, UBA anomaly actors, UBA anomaly signatures, UBA anomalies per threat, and the total count of UBA anomalies.
  • Investigate spikes in anomalous activity and compare the number of actors with the number of anomalies over time on the Anomalies Over Time panel.
  • Identify the most common types of anomalous activity on the Most Active Signatures panel.
  • Determine which users, devices, apps, and other actors are responsible for the most anomalous activity on the Most Active Actors panel.
  • See the latest anomalous activity on the Recent UBA Anomalies panel.


View an anomaly in Splunk UBA by clicking on a value on the dashboard to drill down to the search. Use the event actions on a specific anomaly event to View Contributing Anomalies and open Splunk UBA to view the Anomaly Details view. See Anomaly Details in the Splunk UBA User Manual.

Note: This dashboard displays in the Splunk Enterprise Security menu bar after you integrate Splunk UBA and Splunk ES. See Send UBA Threats and Anomalies to Splunk ES. You can manually add the dashboard to the navigation before you complete the integration. See Navigation.

View threat and anomaly swim lanes on the Entity Investigator dashboards

You can use swim lanes on the Asset and Identity Investigator dashboards to correlate counts of UBA threats and anomalies with other notable events in ES.

To see anomaly and threat information associated with each asset or identity that you search, add the UEBA Threats and UBA Anomalies swim lanes to the Asset Investigator and Identity Investigator dashboards. See Edit the swim lanes.

View an anomaly in Splunk UBA by clicking the swim lane and opening a drill down to the search. Use the event actions to View Contributing Anomalies and open Splunk UBA to view the Anomaly Details or Threat Details. See Review current threats for more.

Anomalies and threats modify risk scores

Splunk ES uses the risk score of anomalies and threats in Splunk UBA to modify risk for the assets and identities associated with the threats and anomalies. The risk modifier is 10 times the risk score of the anomaly or threat in Splunk UBA.

For example:

  • Splunk UBA sends Splunk ES an anomaly that applies to the host 10.11.12.123. The anomaly has a risk score of 8.
  • Splunk ES modifies the risk for the host 10.11.12.123 in response to the anomaly. A risk modifier of 10 * UBA risk score results in a risk modifier of 80.


You can see the source of increased risk when analyzing risk scores on the Risk Analysis dashboard.

Investigate anomalous activity and threats in Splunk ES

View the raw threats and anomalies sent from Splunk UBA to Splunk ES using these searches.

  • View all UBA anomalies and threats sent to Splunk ES:

    | datamodel UEBA All_UEBA_Events search

  • View all UBA threats sent to Splunk ES:

    | datamodel UEBA UEBA_Threats search

  • View all UBA anomalies sent to Splunk ES:

    | datamodel UEBA UEBA_Anomalies search

Last modified on 10 April, 2017
PREVIOUS
Predictive Analytics dashboard 		  NEXT
Configuration Settings

This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters