Viewing data from Splunk UBA in Enterprise Security
After you integrate Splunk Enterprise Security and Splunk User Behavior Analytics (UBA), the apps can share information and allow you to identify different types of security threats in your environment and facing your organization.
- Send threats and anomalies from Splunk UBA to Splunk Enterprise Security to adjust risk scores and create notable events.
- Send correlation search results from Splunk Enterprise Security to Splunk UBA to be processed for anomalies.
- Retrieve user and device association data from Splunk UBA to view it in Splunk Enterprise Security. Identify user accounts and devices associated with devices during specific sessions, and devices associated with users during specific sessions.
In Enterprise Security, you can see data from Splunk UBA In several places.
- View anomalies on the UBA Anomalies dashboard.
- View threat and anomaly swim lanes on the Asset and Identity Investigator dashboards.
- View session-related user and device association data on the Session Center dashboard.
See Integrate Splunk Enterprise Security with Splunk UBA in Splunk add-on for Splunk UBA.
View threats on Security Posture and Incident Review
Threats sent from Splunk UBA to Splunk Enterprise Security appear as notable events on the Incident Review and Security Posture dashboards. You can see the count of notable events created from threats on the Security Posture dashboard as a Key Security Indicator (KSI).
On Incident Review, you can expand the event details to see the description, threat category, correlation search referencing Splunk UBA, and more details. Use the workflow actions on the event to View Contributing Anomalies and open the Threat Details page in Splunk UBA. See Threat Details in the Splunk UBA User Manual.
View anomalies on the UBA Anomalies dashboard
You can use the UBA Anomalies dashboard to view anomalies from Splunk UBA in Enterprise Security and understand anomalous activity in your environment. Select Security Intelligence > User Intelligence > UBA Anomalies to view the dashboard.
- See how the count of various metrics have changed over the past 48 hours in your environment with the key indicators. Review the count of UBA notables, UBA anomaly actors, UBA anomaly signatures, UBA anomalies per threat, and the total count of UBA anomalies.
- Investigate spikes in anomalous activity and compare the number of actors with the number of anomalies over time on the Anomalies Over Time panel.
- Identify the most common types of anomalous activity on the Most Active Signatures panel.
- Determine which users, devices, apps, and other actors are responsible for the most anomalous activity on the Most Active Actors panel.
- See the latest anomalous activity on the Recent UBA Anomalies panel.
View an anomaly in Splunk UBA by clicking on a value on the dashboard to drill down to the search. Use the event actions on a specific anomaly event to View Contributing Anomalies and open Splunk UBA to view the Anomaly Details view. See Anomaly Details in the Splunk UBA User Manual.
View threat and anomaly swim lanes on the Asset and Identity Investigator dashboards
You can use swim lanes on the Asset and Identity Investigator dashboards to correlate counts of UBA threats and anomalies with other notable events in ES.
To see anomaly and threat information associated with each asset or identity that you search, add the UEBA Threats and UBA Anomalies swim lanes to the Asset Investigator and Identity Investigator dashboards. See Edit the swim lanes.
View an anomaly in Splunk UBA by clicking the swim lane to open a search with additional details. Use the event actions to View Contributing Anomalies and open Splunk UBA to view the Anomaly Details or Threat Details. See Review current threats for more.
Anomalies and threats modify risk scores
Enterprise Security uses the risk score of anomalies and threats from Splunk UBA to modify risk for the assets and identities associated with the threats and anomalies. The risk score modifier is 10 times the risk score of the anomaly or threat in Splunk UBA.
- Splunk UBA sends Enterprise Security an anomaly that applies to the host
10.11.12.123. The anomaly has a risk score of 8.
- Enterprise Security modifies the risk for the host
10.11.12.123in response to the anomaly. A risk modifier of 10 * UBA risk score results in a risk modifier of 80.
You can see the source of increased risk when analyzing risk scores on the Risk Analysis dashboard.
See user and device session associations on the Session Center dashboard
When you search an asset or identity in Session Center, you can retrieve additional data from Splunk UBA about the users that might be associated with a device, or the devices that might be associated with a user, based on session data. See Session Center dashboard.
You can also open the Session Center dashboard directly from the Incident Review dashboard when triaging notable events. When viewing the additional details of a notable event, click the workflow actions for a user or device field and open the Session Center dashboard.
Send correlation search results to Splunk UBA
After you set up Enterprise Security and Splunk UBA, you can start sending correlation search results to Splunk UBA. You can send correlation search results automatically, or you can send correlation search results in an ad-hoc manner by sending notable events from the Incident Review dashboard.
Automatically send correlation search results to Splunk UBA
Edit an existing correlation search or create a new correlation search to add a response action of Send to UBA to automatically send correlation search results to Splunk UBA.
- From the Enterprise Security menu bar, select Configure > Content Management.
- Click the name of a correlation search or click Create New to create a new correlation search.
- Click Add New Response Action and select Send to UBA.
- Type a Severity to set the score in Splunk UBA for an anomaly that might be created from the correlation search result.
For example, type 7 to represent a high severity.
- Save the correlation search.
Send correlation search results ad-hoc from Incident Review
Send notable events created by correlation search results to Splunk UBA in an ad-hoc manner from the Incident Review dashboard.
- On the Incident Review dashboard, locate the notable event that you want to send to Splunk UBA.
- From the Actions column, select Run Adaptive Response Actions.
- Click Add New Response Action and select Send to UBA.
- (Optional) Type a Severity to set the score in Splunk UBA for the anomaly that might be created from the notable event. The notable event severity, if available, takes precedence over the provided value.
- Click Run to run the response action and send the notable event details to Splunk UBA.
Types of results to send to Splunk UBA
Only some correlation search results create anomalies in Splunk UBA. Splunk UBA parses the correlation search results as external alarms, and correlation searches with a source, destination, or user in the results are most likely to produce anomalies in Splunk UBA. Not all correlation search results sent from Enterprise Security appear as anomalies in Splunk UBA. Splunk UBA only creates anomalies for the correlation search results with relevant data, and ignores other correlation search results.
Web Intelligence dashboards
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2