Splunk® Add-on for Splunk UBA

Splunk Add-on for Splunk UBA

This documentation does not apply to the most recent version of Splunk® Add-on for Splunk UBA. For documentation on the most recent version, go to the latest release.

Send Splunk ES correlation search results to Splunk UBA

Perform the following tasks to send correlation search results from Splunk Enterprise Security to Splunk UBA to be processed for anomalies.

  1. Perform UBA setup to send correlation search results to Splunk UBA.
  2. Connect Splunk UBA to the Splunk platform using SSL.
  3. Send correlation search results and notable events to Splunk UBA.

Set up Splunk UBA to receive notable events from Splunk ES

In Splunk ES, perform the following tasks so that Splunk UBA can receive notable events from Splunk ES:

Splunk Cloud Platform customers must contact Splunk Cloud Platform Support to perform the Splunk UBA setup.

  1. From the Splunk ES menu bar, select Configure > UBA Setup. You can also select Apps > Manage Apps and select Set up next to this add-on.
  2. In the Management Server field, type the host name and port number of the Splunk ES output connector on the Splunk UBA management server using port 10008. For example, <server IP address>:10008.
  3. In the Type field, select whether to use the TCP or UDP protocol to send the correlation search results to Splunk UBA.

Configure the Splunk platform to receive data from the Splunk UBA output connector

The connection between Splunk UBA and the Splunk platform uses TCP-SSL by default. Set up the Splunk platform to accept the encrypted connection so that the Splunk platform can receive data from the Splunk UBA output connector.

Splunk Cloud Platform customers must work with Splunk Cloud Platform Support to set up this connection.

The following procedure uses the Splunk default certificates and the global [SSL] stanza in the inputs.conf file. For better security, consider using your own certificates, or commercially signed certificates from a trusted certificate authority.

Perform the following steps on the Splunk Enterprise search head. In a search head clustering environment, perform the changes on the search head that will receive UBA threats and anomalies:

  1. Create a local folder under $SPLUNK_HOME/etc/apps/Splunk_TA_ueba. For example: 
    cd /opt/splunk/etc/apps/Splunk_TA_ueba
mkdir local
cd local
  2. Create a file called inputs.conf and add the following stanza. The sslPassword holds the password for the server certificate. The value for sslPassword must match what is in the sslConfig stanza in the /etc/system/default/server.conf file: 
    [tcp-ssl:10008]
listenOnIPv6 = no
index = ueba
sourcetype = ueba
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password


  3. Restart Splunk Enterprise.
    1. In Splunk Web, select System > Server controls.
    2. Click Restart Splunk.
  4. Verify that SSL is enabled for port 10008 in $SPLUNK_HOME/var/log/splunk/splunkd.log. For example: 
    11-07-2019 15:07:42.661 -0800 INFO  TcpInputProc - Creating raw Acceptor for IPv4 port 10008 with SSL
  5. Copy the root CA certificate from /opt/splunk/etc/auth/cacert.pem on the Splunk Enterprise instance to /home/caspida on the Splunk UBA management server.

Perform the following tasks on the Splunk UBA management server:

  1. Log in to the Splunk UBA management server as the caspida user.
  2. Ensure that $JAVA_HOME is set correctly on your system. Run the CaspidaCommonEnv.sh script to set this environment variable: 
    . /opt/caspida/bin/CaspidaCommonEnv.sh
  3. Import the rootCA certificate to the Java certificate store.
    On RHEL or CentOS systems, use the following command: 
    sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -file ~/cacert.pem

    On other Linux systems, use the following command: 

    sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/cacert.pem
  4. When prompted, type the keystore password and trust the certificate. The default keystore password is changeit.
  5. From the command line of the Splunk UBA management server, view the /etc/caspida/local/conf/uba-site.properties file to confirm the following parameter is set to "true" as shown:
    connectors.output.splunkes.ssl=true
  6. Restart Splunk UBA. Run the following commands on the Splunk UBA management server: 
    /opt/caspida/bin/Caspida stop-all
/opt/caspida/bin/Caspida start-all


Send notable events to Splunk UBA

Use any of the following methods to send notable events from Splunk ES to Splunk UBA:

Send notable events and risk events using the Splunk ES Notables data source

Use the Splunk ES Notables data source in Splunk UBA to integrate Splunk UBA with Splunk ES. Configure Splunk UBA to connect to the Splunk ES search head. The Splunk ES Notables data source automatically ingests notables and risk events from Splunk ES and properly maps categories from Splunk ES Content Updates. If you have custom correlation searches on Splunk ES, make sure the category field is added correctly in the correlation search. The category must be one of the categories listed in Filter the anomaly table.

Splunk UBA's external alarm model uses these events and category mappings to generate meaningful anomalies which can subsequently raise the appropriate threats.

Notable events that are closed in Splunk ES are not ingested by Splunk UBA.

  1. In Splunk UBA, select Manage > Data Sources.
  2. Click New Data Source.
  3. In the SIEM Connectors category, click Splunk ES Notables.
  4. On the Connection screen, provide connection and authentication details to connect to Splunk ES, then click Next. The user credentials must have permissions to access the notables and risk indexes.
  5. On the Time Range screen, select Live and All Time, then Click Next.
  6. On the Splunk Query screen, verify the SPL being used to retrieve the events and category mappings from Splunk ES, then click Next. If you need to modify the SPL, make sure NOT (source="UEBA" OR source="UBA") is included in the final SPL to exclude Splunk UBA anomalies and threats.
  7. On the Test Mode screen, click Test Mode to validate the data source before ingesting all events, then click Next. See Add data sources to Splunk UBA in test mode for more information about test mode.
  8. Click OK.

Send notable events using Splunk Direct

Use Splunk Direct to send notable events from Splunk ES to Splunk UBA by configuring an external alarm data source. Write a custom query to handle the necessary data enrichment such as mapping the alarm category or severity.

  1. In Splunk ES, confirm that you get the desired notable events from the following query. The query analyzes notable events on Splunk ES that are not generated from Splunk UBA data sources and performs the proper mappings for the External Alarm category on Splunk UBA.

    You will need this query in the following steps.

    `notable` | search NOT (source="*UEBA*" OR source="*UBA*") | eval action=IF(action="deferred" OR action="blocked","blocked","allowed") | eval tag="attack,network,communicate", app='Authentication.app', dest_zone='dest_pci_domain', src_host='src_nt_host', src_zone='src_pci_domain' | eval severity="Critical",evcls=coalesce(signature,savedsearch_name,search_name) | eval signature=IF(isnull(signature),evcls,signature) | eval alarmCategories=CASE( like(lower(evcls),"%application%") OR like(lower(evcls),"%vulnerability%"),"ProductAttack", like(lower(evcls),"%intrusion%"),"SystemAttack", like(lower(evcls),"%data%loss%") OR like(lower(evcls),"%dlp%") OR like(lower(evcls),"%dlp%") OR like(lower(evcls),"%exfil%"),"Exfiltration", like(lower(evcls),"%malware%") OR like(lower(evcls),"%virus%") OR like(lower(evcls),"%botnet%") OR like(lower(evcls),"%backdoor%") OR like(lower(evcls),"%trojan%"),"MalwarePersistence", like(lower(evcls),"%malware%_operations") OR like(lower(evcls),"%cnc%") OR like(lower(evcls),"%callback%"),"MalwareActivity", like(lower(evcls),"%spam%") OR like(lower(evcls),"%phish%"),"MalwareInstall",1=1,"PolicyViolation") | eval user=IF(isnull(user) AND like(dest,"%@%"),dest,user), dest_ip=coalesce(dest_ip,'values(dest)'),eventtype=evcls, user=IF(like(user,"%wireless%"),"",user), src_ip=IF(isnull(src_ip) AND NOT like(src,"%@%"), src,src_ip), dest_ip=IF( like(dest_ip,"%@%"),'',dest_ip) | makemv delim="," tag | makemv delim=" " dest_ip | mvexpand dest_ip | fields action,alarmCategories,app,category,dest_host,dest_ip,dest_nt_domain, dest_zone,duration,eventtype,file_name,file_path,severity,signature, sourcetype,src_host,src_ip,src_zone,tag,url,user

  2. In Splunk UBA, select Manage > Data Sources.
  3. Click New Data Source.
  4. Under SIEM Connectors, select Splunk.
  5. Specify the connection details to Splunk ES. Select Splunk Direct as the connector type and specify the SSL management port for your Splunk ES instance.
  6. Select Live and All Time as the date range.
  7. In the Splunk Query field, specify the query that you verified at the beginning of this procedure.
  8. On the Data Format page, select External Alarm as the field category. Keep the default values in the Splunk Field column.
  9. Enter the query that you verified at the beginning of this procedure again.
  10. Make sure Test Mode is not selected, and then click OK.

Send notable events directly from the Incident Review dashboard

Send notable events created by correlation search results to Splunk UBA in an ad-hoc manner from the Incident Review dashboard.

  1. On the Incident Review dashboard, locate the notable event that you want to send to Splunk UBA.
  2. From the Actions column, select Run Adaptive Response Actions.
  3. Click Add New Response Action and select Send to UBA.
  4. (Optional) Type a Severity to set the score in Splunk UBA for the anomaly that might be created from the notable event. The notable event severity, if available, takes precedence over the provided value.
  5. Click Run to run the response action and send the notable event details to Splunk UBA.

Send notable events automatically from correlation search results

You can edit an existing correlation search or create a new correlation search to automatically send correlation search results to Splunk UBA.

  1. From the Splunk ES menu bar, select Configure > Content Management.
  2. Click the name of a correlation search or click Create New to create a new correlation search.
  3. Click Add New Response Action and select Send to UBA.
  4. Type a Severity to set the score in Splunk UBA for an anomaly that might be created from the correlation search result.
    For example, type 7 to represent a high severity.
  5. Save the correlation search.
Last modified on 22 February, 2023
Send Splunk UBA anomalies and threats to Splunk ES   Send audit events to Splunk ES

This documentation applies to the following versions of Splunk® Add-on for Splunk UBA: 3.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters