Splunk® User Behavior Analytics

Develop Custom Content in Splunk User Behavior Analytics

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

What is the custom use case framework?

Use the custom use case framework in Splunk UBA to create custom data cubes and models and deploy additional use cases not already covered by Splunk UBA's streaming and batch models. Content developers such as security research teams, security experts or professional services members can leverage the functionality of existing time series or rare events models by cloning the models to build a custom use case without writing code or defining algorithms.

Clone existing models or create new models in Splunk UBA

You can clone or create new batch (offline) models in Splunk UBA. You can clone or create the following types of batch models:

When a custom model is created, it remains in test mode until it is activated. Any anomalies generated by a model in test mode also remain in test mode so as to not interfere with ongoing day-to-day operations in Splunk UBA such as threat computations or investigations. When a model is activated, you can delete, ignore, or migrate the test mode anomalies to the production system, thereby making them available to all of Splunk UBA's components.

See Trigger or activate your custom models.

Create new cubes for data aggregation in Splunk UBA

The custom use case framework also provides the ability to create new data cubes. A data cube is a table of aggregated event data used by models to generate content in Splunk UBA. Cubes consist of dimensions and measures:

  • A dimension is a string value from a specific field in an event, such as the user ID.
  • A measure is a mathematical calculation based on a dimension, such as the total number of users.

See Understanding Splunk UBA data cubes.

Limits for the number of custom models, cubes, measures and dimensions in Splunk UBA

By default, you can create a maximum of four custom cubes in Splunk UBA, and each cube can have a maximum of six dimensions and three measures. If you want to create additional cubes, you must delete one of the existing custom cubes before you are able create another.

There is no limit to the number of custom models you can create, but you can only activate a maximum of six models at a time. If there are already six active custom models, you must deactivate one custom model before you can activate another.

Use the Content_Developer user role to develop custom content

Only users with the Content_Developer role have permissions to create content in Splunk UBA. See Manage user accounts and account roles in Splunk UBA in Administer Splunk User Behavior Analytics.

Last modified on 22 July, 2020
  Understanding Splunk UBA data cubes

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters