Send correlation search results to Splunk UBA to be processed as anomalies
If your environment includes both Splunk User Behavior Analytics (UBA) and Splunk Enterprise Security, you can send the results of correlation searches from Splunk ES to Splunk UBA to be processed as anomalies. Anomalies that result from correlation search results can then be used in Splunk UBA to generate threats.
You must have version 3.0 of Splunk UBA in order for the correlation search results to be processed successfully.
You can also set up Splunk UBA to send anomalies and threats to Splunk ES. See Analyze Splunk UBA threats and anomalies in Splunk ES for more.
Set up Splunk ES to send correlation search results to Splunk UBA
Before you can send correlation search results from Splunk Enterprise Security to Splunk UBA, set up the Splunk UBA management server as an output location. You must have the ess_admin role or the edit_forwarders capability to set up this connection.
- From the Splunk ES menu bar, select Configure > UBA Setup.
- In the Management server field, type the host name and port of the Splunk UBA management server.
- In the Type field, select whether to use the TCP or UDP protocol to send the notable events to Splunk UBA.
- Click Save.
You must restart the Splunk platform after setting up this connection. If you are on a search head cluster, use the deployer to deploy the change from the Splunk_TA-ueba outputs.conf
file to the cluster members.
Set up Splunk UBA to receive correlation search results from Splunk ES
Set up a new data source in Splunk UBA to receive correlation search results from Splunk Enterprise Security.
- In Splunk UBA, select Config > Data Sources and click New Data Source.
- Select a data source of Netcat.
- Specify a name for the data source, such as ESnotables. The data source name must be alphanumeric, with no spaces or special characters.
- Select a format of SplunkES Correlation Search.
- Click Next.
- Deselect the check box for Test Mode.
- Click OK to save the new data source.
Send correlation search results to Splunk UBA
After you set up Enterprise Security and Splunk UBA, you can start sending correlation search results to Splunk UBA. You can send correlation search results automatically, or you can send correlation search results in an ad-hoc manner by sending notable events from the Incident Review dashboard.
Automatically send correlation search results to Splunk UBA
Edit an existing correlation search or create a new correlation search to add a response action of Send to UBA to automatically send correlation search results to Splunk UBA.
- From the Splunk ES menu bar, select Configure > Content Management.
- Click the name of a correlation search or click Create New to create a new correlation search.
- Click Add New Response Action and select Send to UBA.
- Type a Severity to set the score in Splunk UBA for an anomaly that might be created from the correlation search result.
For example, type 7 to represent a high severity. - Save the correlation search.
Send correlation search results ad-hoc from Incident Review
Send notable events created by correlation search results to Splunk UBA in an ad-hoc manner from the Incident Review dashboard.
- On the Incident Review dashboard, locate the notable event that you want to send to Splunk UBA.
- From the Actions column, select Run Adaptive Response Actions.
- Click Add New Response Action and select Send to UBA.
- (Optional) Type a Severity to set the score in Splunk UBA for the anomaly that might be created from the notable event. The notable event severity, if available, takes precedence over the provided value.
- Click Run to run the response action and send the notable event details to Splunk UBA.
Types of results to send to Splunk UBA
Only some correlation search results create anomalies in Splunk UBA. Splunk UBA parses the correlation search results as external alarms, and correlation searches with a source, destination, or user in the results are most likely to produce anomalies in Splunk UBA. Not all correlation search results sent from Splunk ES will appear as anomalies in Splunk UBA. Splunk UBA only triggers anomalies for the correlation search results with relevant data, and ignores other correlation search results.
Analyze Splunk UBA threats and anomalies in Splunk ES | Configuration Settings |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only
Feedback submitted, thanks!