Send Splunk UBA anomalies and threats to Splunk ES

Perform the following tasks to send anomalies and threats from Splunk UBA to Splunk ES as notable events.

1. Verify that the Splunk Add-on for UEBA is installed and enabled.
2. Enable SA-UEBA so that Splunk ES can retrieve data from Splunk UBA.
3. Connect Splunk UBA to the Splunk platform using SSL.
4. Add an output connector in Splunk UBA.

Verify that the Splunk Add-on for UEBA is installed and enabled

Perform the following steps to verify that the Splunk Add-on for UEBA is installed.

1. Log in to the Splunk search head with Splunk Enterprise Security installed.
2. In Splunk Web, select Apps > Manage Apps.
3. Search for ueba and verify that Splunk_TA_ueba is installed and enabled.
4. If the add-on is not enabled, click Enable to enable it.

Enable SA-UEBA so that Splunk ES can retrieve data from Splunk UBA

Enable SA-UEBA so that dashboards and knowledge objects are visible to users in Splunk Enterprise Security. This task is required to retrieve data from Splunk UBA to display on the Session Center dashboard in Splunk Enterprise Security, to model data sent from Splunk UBA with the UEBA data model, and to use correlation searches to analyze threats and anomalies sent from Splunk UBA.

1. Log in to the Splunk search head with Splunk Enterprise Security installed.
2. In Splunk Web, select Apps > Manage Apps.
3. Locate the SA-UEBA add-on.
4. Click Enable to enable the add-on.

Configure the Splunk platform to receive data from the Splunk UBA output connector

The connection between Splunk UBA and the Splunk platform uses TCP-SSL by default. Set up the Splunk platform to accept the encrypted connection so that the Splunk platform can receive data from the Splunk UBA output connector.

Splunk Cloud Platform customers must work with Splunk Cloud Platform Support to set up this connection.

The following procedure uses the Splunk default certificates and the global [SSL] stanza in the inputs.conf file. For better security, consider using your own certificates, or commercially signed certificates from a trusted certificate authority.

• See About securing Splunk Enterprise with SSL in the Splunk Enterprise Securing the Splunk Platform manual.
• See TCP: in the Splunk Enterprise Admin Manual for more information about configuring tcp-ssl using inputs.conf.

Perform the following steps on the Splunk Enterprise search head. In a search head clustering environment, perform the changes on the search head that will receive UBA threats and anomalies:

1. Create a local folder under $SPLUNK_HOME/etc/apps/Splunk_TA_ueba. For example:

   cd /opt/splunk/etc/apps/Splunk_TA_ueba
   mkdir local
   cd local
   

2. Create a file called inputs.conf and add the following stanza. The sslPassword holds the password for the server certificate. The value for sslPassword must match what is in the sslConfig stanza in the /etc/system/default/server.conf file:

   [tcp-ssl:10008]
   listenOnIPv6 = no
   index = ueba
   sourcetype = ueba
   serverCert = $SPLUNK_HOME/etc/auth/server.pem
   sslPassword = password
   




3. Restart Splunk Enterprise.
   1. In Splunk Web, select System > Server controls.
   2. Click Restart Splunk.
4. Verify that SSL is enabled for port 10008 in $SPLUNK_HOME/var/log/splunk/splunkd.log. For example:

   11-07-2019 15:07:42.661 -0800 INFO  TcpInputProc - Creating raw Acceptor for IPv4 port 10008 with SSL

5. Copy the root CA certificate from /opt/splunk/etc/auth/cacert.pem on the Splunk Enterprise instance to /home/caspida on the Splunk UBA management server.

Perform the following tasks on the Splunk UBA management server:

1. Log in to the Splunk UBA management server as the caspida user.
2. Ensure that $JAVA_HOME is set correctly on your system. Run the CaspidaCommonEnv.sh script to set this environment variable:

   . /opt/caspida/bin/CaspidaCommonEnv.sh

3. Import the rootCA certificate to the Java certificate store.
   On RHEL or CentOS systems, use the following command:

   sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -file ~/cacert.pem

   On other Linux systems, use the following command:

   sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/cacert.pem

4. When prompted, type the keystore password and trust the certificate. The default keystore password is changeit.
5. From the command line of the Splunk UBA management server, view the /etc/caspida/local/conf/uba-site.properties file to confirm the following parameter is set to "true" as shown:
   connectors.output.splunkes.ssl=true
6. Restart Splunk UBA. Run the following commands on the Splunk UBA management server:

   /opt/caspida/bin/Caspida stop-all
   /opt/caspida/bin/Caspida start-all
   

Add an output connector in Splunk UBA

Set up Splunk UBA to send data to the Splunk search head or a Splunk forwarder. Splunk UBA uses the output connector to send anomalies and threats to Splunk Enterprise Security.

1. Make sure the Splunk Add-on for Splunk UBA is properly deployed and enabled. See Deploy the Splunk Add-on for Splunk UBA.
2. Make sure the SA-UEBA add-on is enabled. See Enable SA-UEBA so that Splunk ES can retrieve data from Splunk UBA.
3. Log in to Splunk UBA as an admin user.
4. Select Manage > Output Connectors.
5. Click New Output Connector.
6. Select an output connector of SplunkES and click Next.
7. Type a Name for the output connector.
8. The Forwarder Host is the IP address of the Splunk search head or forwarder with the TCP data input enabled. When sending events to a Splunk ES search head cluster, choose one of the members to specify when configuring the Output Connector in Splunk UBA.

   Splunk UBA does not support connecting to a Splunk ES search head cluster through a load balancer.

9. The Forwarder Port is TCP port 10008 that is open for receiving data on the Splunk search head or forwarder. Make sure this port is open behind your firewall.
10. Specify the Splunk ES API URL in the following format:

    https://<forwarder-host>:<mgmt-port>

    Splunk UBA uses this connection to synchronize the status of its threats with notable events in Splunk ES. The management port is usually 8089.
11. Specify a username and password. See Splunk Enterprise and Splunk ES requirements for the requirements of this user account.
12. Select how you want this output connector to process anomalies and threats.

    Option	Description
    Process Threats	Select Process Threats to enable Splunk UBA to export threats based on any configured output connectors, such as sending email or sending threats to Splunk ES. If this is not selected, no threats are exported from Splunk UBA, even if Auto Process is selected.
    Process Anomalies	Select Process Anomalies to enable Splunk UBA to export anomalies based on any configured output connectors, such as sending email or sending anomalies to Splunk ES. If this is not selected, no anomalies are exported from Splunk UBA, even if Auto Process is selected.
    Auto Process	Select Auto Process to automatically forward anomalies and threats as they are created to Splunk ES. If this is not selected, you must forward each threat and corresponding anomalies during threat review with the Export to Splunk ES action from the Threat Details page. See Review Current Threats in Use Splunk User Behavior Analytics. Selecting Auto Process in conjunction with Process Anomalies can cause a significant increase in traffic. Review the output connector logs to verify the health and performance of your system. See the Output Connector Service health monitor status codes. If you are monitoring Splunk UBA using the Splunk UBA Monitoring app, see About the Splunk UBA Monitoring app in theSplunk UBA Monitoring App manual.

13. Click OK to save the new output connector.

If the output connector does not work, verify that you configured the host server correctly in the uba-site.properties file. The host identified in the file populates the host field for events sent to Splunk Enterprise Security or the Splunk platform. See Connect Splunk UBA to Splunk Enterprise to view an anomaly's raw events in Install and Upgrade Splunk User Behavior Analytics.