About the Splunk add-on for Splunk UBA
The Splunk add-on for Splunk UBA indexes data sent from Splunk UBA to the Splunk platform and allows you to send data from the Splunk platform to Splunk UBA. The Splunk add-on for Splunk UBA consists of two separate add-ons:
- SA-UEBA is installed in
SA-UEBAand is a supporting add-on For Splunk UBA. This add-on is disabled by default.
- Splunk Add-on for UEBA is installed in
Splunk_TA_uebaand is a technology add-on for Splunk UBA. This add-on is enabled by default.
In any environment with both Splunk UBA and Splunk ES, both add-ons are required and both must be enabled.
- The SA-UEBA has no configuration options and only needs to be enabled in your environment.
- The Splunk Add-on for UEBA is visible and has configuration options.
This manual deals primarily with configuring the Splunk Add-on for UEBA (Splunk_TA_ueba).
The Splunk Add-on for UEBA is not available for download on Splunkbase. The add-on is installed by default with Splunk Enterprise Security. If you find that the Splunk Add-on for UEBA is not installed, you may need to re-run the Splunk Enterprise Security Post-Install Configuration and ensure that Splunk_TA_ueba is selected for install. See Install Splunk Enterprise Security.
See the table for a summary of the functionality enabled by SA-UEBA and the Splunk Add-on for UEBA.
|Feature||SA-UEBA||Splunk Add-on for UEBA|
|Visible?||No.||Yes, this add-on contains a view for configuration.|
|Collection method||TCP||TCP port 10008|
|CIM Compliance||None.||None. This data maps to the UEBA data model included with Splunk Enterprise Security.|
Requirements for using the Splunk add-on for Splunk UBA
This documentation applies to the following versions of Splunk® Add-on for Splunk UBA: 3.0.0