Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Send correlation search results to Splunk UBA to be processed as anomalies

If your environment includes both Splunk User Behavior Analytics (UBA) and Splunk Enterprise Security, you can send the results of correlation searches from Splunk ES to Splunk UBA to be processed as anomalies. Anomalies that result from correlation search results can then be used in Splunk UBA to generate threats.

You must have version 3.0 of Splunk UBA in order for the correlation search results to be processed successfully.

You can also set up Splunk UBA to send anomalies and threats to Splunk ES. See Analyze Splunk UBA threats and anomalies in Splunk ES for more.

Set up Splunk ES to send correlation search results to Splunk UBA

Before you can send correlation search results from Splunk Enterprise Security to Splunk UBA, set up the Splunk UBA management server as an output location. You must have the ess_admin role or the edit_forwarders capability to set up this connection.

  1. From the Splunk ES menu bar, select Configure > UBA Setup.
  2. In the Management server field, type the host name and port of the Splunk UBA management server.
  3. In the Type field, select whether to use the TCP or UDP protocol to send the notable events to Splunk UBA.
  4. Click Save.

You must restart the Splunk platform after setting up this connection. If you are on a search head cluster, use the deployer to deploy the change from the Splunk_TA-ueba outputs.conf file to the cluster members.

Set up Splunk UBA to receive correlation search results from Splunk ES

Set up a new data source in Splunk UBA to receive correlation search results from Splunk Enterprise Security.

  1. In Splunk UBA, select Config > Data Sources and click New Data Source.
  2. Select a data source of Netcat.
  3. Specify a name for the data source, such as ESnotables. The data source name must be alphanumeric, with no spaces or special characters.
  4. Select a format of SplunkES Correlation Search.
  5. Click Next.
  6. Deselect the check box for Test Mode.
  7. Click OK to save the new data source.

Send correlation search results to Splunk UBA

After you set up Enterprise Security and Splunk UBA, you can start sending correlation search results to Splunk UBA. You can send correlation search results automatically, or you can send correlation search results in an ad-hoc manner by sending notable events from the Incident Review dashboard.

Automatically send correlation search results to Splunk UBA

Edit an existing correlation search or create a new correlation search to add a response action of Send to UBA to automatically send correlation search results to Splunk UBA.

  1. From the Splunk ES menu bar, select Configure > Content Management.
  2. Click the name of a correlation search or click Create New to create a new correlation search.
  3. Click Add New Response Action and select Send to UBA.
  4. Type a Severity to set the score in Splunk UBA for an anomaly that might be created from the correlation search result.
    For example, type 7 to represent a high severity.
  5. Save the correlation search.

Send correlation search results ad-hoc from Incident Review

Send notable events created by correlation search results to Splunk UBA in an ad-hoc manner from the Incident Review dashboard.

  1. On the Incident Review dashboard, locate the notable event that you want to send to Splunk UBA.
  2. From the Actions column, select Run Adaptive Response Actions.
  3. Click Add New Response Action and select Send to UBA.
  4. (Optional) Type a Severity to set the score in Splunk UBA for the anomaly that might be created from the notable event. The notable event severity, if available, takes precedence over the provided value.
  5. Click Run to run the response action and send the notable event details to Splunk UBA.

Types of results to send to Splunk UBA

Only some correlation search results create anomalies in Splunk UBA. Splunk UBA parses the correlation search results as external alarms, and correlation searches with a source, destination, or user in the results are most likely to produce anomalies in Splunk UBA. Not all correlation search results sent from Splunk ES will appear as anomalies in Splunk UBA. Splunk UBA only triggers anomalies for the correlation search results with relevant data, and ignores other correlation search results.

Last modified on 04 February, 2017
Analyze Splunk UBA threats and anomalies in Splunk ES   Configuration Settings

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters