Splunk® Add-on for Splunk UBA

Splunk Add-on for Splunk UBA

This documentation does not apply to the most recent version of Splunk® Add-on for Splunk UBA. For documentation on the most recent version, go to the latest release.

About the Splunk add-on for Splunk UBA

The Splunk add-on for Splunk UBA indexes data sent from Splunk UBA to the Splunk platform and allows you to send data from the Splunk platform to Splunk UBA. The Splunk add-on for Splunk UBA consists of two separate add-ons:

  • SA-UEBA is installed in SA-UEBA and is a supporting add-on For Splunk UBA. This add-on is disabled by default.
  • Splunk Add-on for UEBA is installed in Splunk_TA_ueba and is a technology add-on for Splunk UBA. This add-on is enabled by default.

In any environment with both Splunk UBA and Splunk ES, both add-ons are required and both must be enabled.

  • The SA-UEBA has no configuration options and only needs to be enabled in your environment.
  • The Splunk Add-on for UEBA is visible and has configuration options.

This manual deals primarily with configuring the Splunk Add-on for UEBA (Splunk_TA_ueba).

The Splunk Add-on for UEBA is not available for download on Splunkbase. The add-on is installed by default with Splunk Enterprise Security. If you find that the Splunk Add-on for UEBA is not installed, you may need to re-run the Splunk Enterprise Security Post-Install Configuration and ensure that Splunk_TA_ueba is selected for install. See Install Splunk Enterprise Security.

See the table for a summary of the functionality enabled by SA-UEBA and the Splunk Add-on for UEBA.

Feature SA-UEBA Splunk Add-on for UEBA
Visible? No. Yes, this add-on contains a view for configuration.
Collection method TCP TCP port 10008
CIM Compliance None. None. This data maps to the UEBA data model included with Splunk Enterprise Security.
Sourcetypes uba_audit ueba, stash_uba
Indexes N/A ueba, ubaroute
Additional features
  • Contains the ueba data model definition for Splunk UBA threats and anomalies which provides accelerated Splunk UBA information to Splunk ES.
  • Defines the ubauser, ubadevice, ubahistory, and ubaevents macros in Splunk ES.
  • Defines multiple correlation searches relating to Splunk UBA anomaly and threat detection:
    • Threat - UEBA Threat Detected (Notable) – Rule

    • Threat - UEBA Threat Detected (Risk) – Rule

    • Threat - UEBA Anomaly Detected (Risk) – Rule
  • Defines multiple key-indicator searches for populating Splunk web in Splunk ES, such as anomaly actors, anomaly signatures, anomalies per threat, and total anomalies.
  • Defines the UEBA - Notable External Reference - Lookup Gen lookup generation search.
  • Defines multiple swim-lane searches for populating Splunk web in Splunk ES, such as UEBA Threats By Asset, UEBA Threats By Identity, UBA Anomalies By Asset, and UBA Anomalies By Identity.
  • Contains the send2uba function which allows saved search results to be forwarded to Splunk UBA.
  • Defines the edit_uba_settings capability which is added to the ess_admin role in Splunk ES and can be assigned.
  • Defines the syslog-based output for stashed UBA data in the ubaroute index.
  • Defines multiple macros used to enrich events within Splunk ES to make them compatible with Splunk UBA.
  • Defines the Event Drilldown workflow. See Use event drilldown to review an anomaly's raw events in the Use Splunk User Behavior Analytics manual.
  • Contains lookups that can be referenced, such as a lookup for converting a Splunk UBA threat score into a Splunk ES urgency value.
  • Enables Splunk ES to retrieve user and device association data from Splunk UBA.
Last modified on 04 October, 2021
  Requirements for using the Splunk add-on for Splunk UBA

This documentation applies to the following versions of Splunk® Add-on for Splunk UBA: 3.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters