Add custom data to Splunk UBA using the generic data source
Use the generic data source type in Splunk UBA to add data that is not CIM compliant and not supported by any of the Splunk UBA native parsers.
For example, you might want to add add credit card authorization and transaction data, and use the custom use case framework to develop custom models to raise anomalies. See What is the custom use case framework?
Credit card data is not CIM compliant, and Splunk UBA does not have a native parser to support this data format using the Splunk Raw Events data type.
Perform the following tasks to get custom data into Splunk UBA as a generic data source.
Access the Data Source Type wizard
- In Splunk UBA, select Manage > Data Sources.
- Click New Data Source and complete the pages in the wizard to configure the data source.
Follow the Data Source Type wizard steps
- Step 1 of 7: Data Source Type
Select a data source type of Splunk and click Next. - Step 2 of 7: Connection
- Specify a name for the data source, such as SplunkEnterprise. The data source name must be alphanumeric with no spaces or special characters.
- Type a connection URL that matches the URL for your Splunk platform or Enterprise Security search head and management port, for example,
https://splunksearchhead.splunk.com:8089
. If you have search head clustering configured and a load balancer is available, you can specify the load balancer host name to avoid a single point failure. Ensure that port 8089 is accessible on the load balancer. - Type the username and password for the Splunk platform account.
- Leave the default Connector Type of Splunk Direct.
- Click Next.
- Step 3 of 7: Time Range
- Select a time range.
- To retrieve data using time-based micro batch queries, select Live and All time. See How data gets into Splunk UBA.
- To retrieve data at a regular interval defined by a time window, select Live and Time Window and specify a time period.
- To add historical data from the Splunk platform, select Date Range and select a calendar date range.
- Click Next.
- Select a time range.
- Step 4 of 7: Events to Process
- Select Splunk Query and enter a search in the field to identify the source type.
- Click Next.
- Step 5 of 7: Data Format
- Select Single Format.
- Select the GENERIC format from the drop-down list of formats.
- Click Next.
- Step 6 of 7: Splunk Query
Review the Splunk search created by the wizard. If you want, run the search in the Splunk platform to verify that the data output matches what you expect to see.
The source type in the Splunk platform appears on threats and anomalies in Splunk UBA. If you want to alias the source type to a more meaningful or accurate value, add an eval statement to the search to set the source type value to a custom value:| eval sourcetype="Your Custom Value"
If subsearches are used, wrap the square parenthesis with "( and )" whenever possible, as shown in the following example:
(index=*default sourcetype=newdatasource) NOT ([| inputlookup logging1.csv]) NOT ([| inputlookup logging2.csv]) NOT ([| inputlookup logging3.csv | rename dest as src]) | eval action="allowed", eventtype=category | fields action,alarmCategories,bytes,bytes_in,bytes_out,category, dest_host,dest_ip,dest_port,duration,eventtype, ids_type,severity,signature,sourcetype,src_host,src_ip,src_port,tag,user
- Step 7 of 7: Test Mode
To add the data source in test mode, leave the check box selected. See Add data sources to Splunk UBA in test mode. - Click OK to save the data source.
Add raw events from the Splunk platform to Splunk UBA | Send data from Splunk Enterprise directly to Kafka |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!