Splunk® User Behavior Analytics

Get Data In to Splunk User Behavior Analytics

Download manual as PDF

This documentation does not apply to the most recent version of UBA. Click here for the latest version.
Download topic as PDF

Get data in to Splunk UBA

Splunk UBA uses data from the Splunk platform to identify potential insider and external threats to your environment. Work with Splunk Professional Services to get started with importing important data sources and filtering events.

Required and recommended data sources for Splunk UBA

The following table shows a summary of the required and recommended data sources that must be imported into Splunk UBA to make Splunk UBA fully operational.

Required data sources for Splunk UBA

Required data sources make Splunk UBA operational.

  • HR data from your HR system and Active Directory. This data contains information about employees and their login accounts.
  • Assets data from your CMDB, Enterprise Security, or Active Directory. This data contains information about the devices in your environment.
  • Windows security events from your domain controller logs. This data associates IP addresses to device names and users.
  • DHCP. This data associates IP addresses to physical MAC addresses.
  • Proxy. This data is used for use cases such as malware and machine-generated beaconing.
  • Firewall (perimeter). This data is used for use cases such as data exfiltration.

See Add data sources to Splunk UBA for information about the order in which to add data sources.

Recommended data sources for Splunk UBA

Recommended data sources unlock additional use cases and detections in Splunk UBA.

  • DNS
    • Internal DNS requests, in cases when no mandatory data sources provide associations between IP addresses and device names.
    • External DNS requests
  • Windows security events
    • Workstation logs
    • Command line logs
  • External alarms
    • ES notables
    • IPS/IDS
    • DLP
    • Malware
    • Antivirus
  • Endpoint
  • Email
  • VPN
  • Firewall (internal)
  • Netflow
  • Printer
  • Physical badge access
  • USB logs
  • Cloud storage

See Data source types for anomalies in Splunk UBA for information about which data sources must be imported for specific anomalies.

Prepare to add data sources in Splunk UBA

Before you add new data sources, review the types of data that you want to add and determine which ones Splunk UBA supports.

  1. In Splunk UBA Web, select Manage > Data Sources.
  2. Click New Data Source to review the data source types that you can add to Splunk UBA.
    This screen image shows the screen where the user can select one of the supported data source type to add to Splunk UBA. The Events File source type is highlighted by default, and other available source types include Netcat, Syslog, HR File, Splunk HR Data, and Splunk.

You can also review the data sources that produce different types of anomalies. See Data source types for anomalies in Splunk UBA.

After you determine which data sources you can add, make sure that existing event filters do not affect the new data sources. Review the existing event filters to check for settings that could negatively affect future data uploads. For example, an event filter that excludes source_IP data from one data source could affect the new data source. You might have to modify filters as you add new data sources.

Get started with a small dataset

Get started with a smaller set of data before working in a full production environment. This is useful for verifying that the data coming in to Splunk UBA is properly configured and mapped so that you see the desired anomalies and threats.

Add data sources to Splunk UBA

Complete the following steps to properly get data in to Splunk UBA.

  1. Get HR data in to Splunk UBA.
  2. Identify assets in your environment.
  3. Use blacklists and whitelists.
  4. Add data from the Splunk platform to Splunk UBA.

Verify your Splunk UBA data

See Verify that you successfully added the data source for information on how to verify a data source is successfully added to Splunk UBA.

Some data sources, such as DHCP, DNS, AD, or HTTP, may not always provide a destination device. If you ingest one of these data types and see validation error messages, you can ignore these messages once you examine the raw event and validate the absence of the destination device in the raw event.

Data source types for anomalies in Splunk UBA
Add new file-based data sources to Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 4.2.0, 4.2.1, 4.2.2, 4.2.3

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters