Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Analyze Splunk UBA threats and anomalies in Splunk ES

Use the threats and anomalies identified by Splunk User Behavior Analytics alongside the notable events in Splunk Enterprise Security to gain further insight into your environment's security posture.

This is one point of integration with Splunk UBA. To analyze Splunk UBA threats and anomalies in Enterprise Security, set up your environment. See Send UBA Threats and Anomalies to Splunk ES in Administer Splunk UBA. To see both threats and anomalies in ES, you must have Splunk UBA version 2.1.1 or later.

After you set up this integration, you can investigate UBA threats and anomalies in Enterprise Security.

View threats on Security Posture and Incident Review

Splunk UBA threats appear as notable events in Enterprise Security. View a count of UBA threats as a UBA notables key security indicator on the Security Posture dashboard.

  • You can see the specific notable events created by Splunk UBA threats on the Incident Review dashboard.
  • Expand the notable event details to see more about the Splunk UBA threat. The description, threat category, and correlation search reference UBA.
  • Use the event workflow actions to View Contributing Anomalies and open the Threat Details in Splunk UBA.

View anomalies on the UBA Anomalies dashboard

Use the UBA Anomalies dashboard to understand anomalous activity in your environment. To view the dashboard, select Security Intelligence > User Intelligence > UBA Anomalies.

  • See how the count of various metrics have changed over the past 48 hours in your environment with the key indicators. Review the count of UBA notables, UBA anomaly actors, UBA anomaly signatures, UBA anomalies per threat, and the total count of UBA anomalies.
  • Investigate spikes in anomalous activity and compare the number of actors with the number of anomalies over time on the Anomalies Over Time panel.
  • Identify the most common types of anomalous activity on the Most Active Signatures panel.
  • Determine which users, devices, apps, and other actors are responsible for the most anomalous activity on the Most Active Actors panel.
  • See the latest anomalous activity on the Recent UBA Anomalies panel.


View an anomaly in Splunk UBA by clicking on a value on the dashboard to drill down to the search. Use the event actions on a specific anomaly event to View Contributing Anomalies and open Splunk UBA to view the Anomaly Details view. See Anomaly Details in the Splunk UBA User Manual.

Note: This dashboard displays in the Splunk Enterprise Security menu bar after you integrate Splunk UBA and Splunk ES. See Send UBA Threats and Anomalies to Splunk ES in Administer Splunk UBA. You can manually add the dashboard to the navigation before you complete the integration. See Navigation.

View threat and anomaly swim lanes on the Entity Investigator dashboards

You can use swim lanes on the Asset and Identity Investigator dashboards to correlate counts of UBA threats and anomalies with other notable events in ES.

To see anomaly and threat information associated with each asset or identity that you search, add the UEBA Threats and UBA Anomalies swim lanes to the Asset Investigator and Identity Investigator dashboards. See Edit the swim lanes.

View an anomaly in Splunk UBA by clicking the swim lane and opening a drill down to the search. Use the event actions to View Contributing Anomalies and open Splunk UBA to view the Anomaly Details or Threat Details. See Review current threats for more.

Anomalies and threats modify risk scores

Splunk ES uses the risk score of anomalies and threats in Splunk UBA to modify risk for the assets and identities associated with the threats and anomalies. The risk modifier is 10 times the risk score of the anomaly or threat in Splunk UBA.

For example:

  • Splunk UBA sends Splunk ES an anomaly that applies to the host 10.11.12.123. The anomaly has a risk score of 8.
  • Splunk ES modifies the risk for the host 10.11.12.123 in response to the anomaly. A risk modifier of 10 * UBA risk score results in a risk modifier of 80.

You can see the source of increased risk when analyzing risk scores on the Risk Analysis dashboard.

Investigate anomalous activity and threats in Enterprise Security

View the raw threats and anomalies sent from Splunk UBA to Enterprise Security using these searches.

  • View all UBA anomalies and threats sent to Enterprise Security:

    | datamodel UEBA All_UEBA_Events search

  • View all UBA threats sent to Enterprise Security:

    | datamodel UEBA UEBA_Threats search

  • View all UBA anomalies sent to Enterprise Security:

    | datamodel UEBA UEBA_Anomalies search

Last modified on 04 April, 2017
Predictive Analytics dashboard   Send correlation search results to Splunk UBA to be processed as anomalies

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters