Get data in to Splunk UBA
Splunk UBA uses data from the Splunk platform to identify potential insider and external threats to your environment. Work with Splunk Professional Services to get started with importing important data sources and filtering events.
Required and recommended data sources for Splunk UBA
The following table shows a summary of the required and recommended data sources that must be imported into Splunk UBA to make Splunk UBA fully operational.
Required data sources for Splunk UBA
Required data sources make Splunk UBA operational.
- HR data from your HR system and Active Directory. This data contains information about employees and their login accounts.
- Assets data from your CMDB, Enterprise Security, or Active Directory. This data contains information about the devices in your environment.
- Windows security events from your domain controller logs. This data associates IP addresses to device names and users.
- DHCP. This data associates IP addresses to physical MAC addresses.
- Proxy. This data is used for use cases such as malware and machine-generated beaconing.
- Firewall (perimeter). This data is used for use cases such as data exfiltration.
See Add data sources to Splunk UBA for information about the order in which to add data sources.
Recommended data sources for Splunk UBA
Recommended data sources unlock additional use cases and detections in Splunk UBA.
- Internal DNS requests, in cases when no mandatory data sources provide associations between IP addresses and device names.
- External DNS requests
- Windows security events
- Workstation logs
- Command line logs
- External alarms
- ES notables
- Firewall (internal)
- Physical badge access
- USB logs
- Cloud storage
See Data source types for anomalies in Splunk UBA for information about which data sources must be imported for specific anomalies.
Prepare to add data sources in Splunk UBA
Before you add new data sources, review the types of data that you want to add and determine which ones Splunk UBA supports.
- In Splunk UBA Web, select Manage > Data Sources.
- Click New Data Source to review the data source types that you can add to Splunk UBA.
You can also review the data sources that produce different types of anomalies. See Data source types for anomalies in Splunk UBA.
After you determine which data sources you can add, make sure that existing event filters do not affect the new data sources. Review the existing event filters to check for settings that could negatively affect future data uploads. For example, an event filter that excludes
source_IP data from one data source could affect the new data source. You might have to modify filters as you add new data sources.
Get started with a small dataset
Get started with a smaller set of data before working in a full production environment. This is useful for verifying that the data coming in to Splunk UBA is properly configured and mapped so that you see the desired anomalies and threats.
- You can add data from a file to test on a small scale. See Add new file-based data sources to Splunk UBA.
- You can add data from Splunk software to Splunk UBA in test mode, where Splunk UBA analyzes a sample set of data from the data source. See Add data sources to Splunk UBA in test mode.
- You can create an event filter, which is useful for limiting or targeting the data you are analyzing. You can apply filters to include or exclude devices or users. See Filter events analyzed by Splunk UBA for anomalies.
Add data sources to Splunk UBA
Complete the following steps to properly get data in to Splunk UBA.
- Get HR data in to Splunk UBA.
- Identify assets in your environment.
- Use blacklists and whitelists.
- Add data from the Splunk platform to Splunk UBA.
Verify your Splunk UBA data
See Verify that you successfully added the data source for information on how to verify a data source is successfully added to Splunk UBA.
Some data sources, such as DHCP, DNS, AD, or HTTP, may not always provide a destination device. If you ingest one of these data types and see validation error messages, you can ignore these messages once you examine the raw event and validate the absence of the destination device in the raw event.
Data source types for anomalies in Splunk UBA
Add new file-based data sources to Splunk UBA
This documentation applies to the following versions of Splunk® User Behavior Analytics: 4.2.0, 4.2.1, 4.2.2, 4.2.3