Splunk® User Behavior Analytics

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Welcome to Splunk UBA 5.0.0

Splunk UBA 5.0.0 is a platform release. See About Splunk User Behavior Analytics and release types for more information about the different types of Splunk UBA releases.

If you are new to Splunk UBA, review all the steps in the Splunk UBA installation checklist before installing Splunk UBA.

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk UBA, read the following documentation before you get started:

What's new in 5.0.0

Splunk UBA 5.0.0 contains the following features and enhancements:

New feature or enhancement Description and Documentation
Custom use case framework
Develop your own models in Splunk UBA to generate custom content and create your own use cases. You can clone or create new custom batch models, and also create new data cubes.


See What is the custom use case framework?

A new content developer role is provided for users to develop custom content without interfering with ongoing Splunk UBA activities.


See Manage user account and account roles in Splunk UBA.

High availability and disaster recovery
Configure warm standby in your deployment for high availability and disaster recovery. When the active Splunk UBA deployment is not available, you can failover to a duplicate standby Splunk UBA deployment.


See Configure warm standby in Splunk UBA.

Warm standby is a beta feature and must be implemented with the assistance of Splunk Support.

Collect periodic incremental backups that can be used for high availability as well as backup and restore use cases. Backups of Splunk UBA are collected without having to stop Splunk UBA.


See Backup and restore Splunk UBA using automated incremental backups.

Automatic incremental backup and restore is a beta feature and must be implemented with the assistance of Splunk Support.

Backup and restore Splunk UBA using scripts when you need to perform Splunk UBA migrations across operating systems. Both scripts will fully stop and restart Splunk UBA.


See Backup and restore Splunk UBA using the backup and restore scripts.

HR data HR data supports additional attributes by default: Employee Type, Departing User, On Performance Improvement Plan, Traveling, and High Risk User


See Get HR Data into Splunk UBA in Get Data into Splunk User Behavior Analytics.

Add your own attributes to HR data that are not provided by Splunk UBA.


See Add custom attributes to your HR data in Get Data into Splunk User Behavior Analytics.

Device management
Create IDR exclusion lists in Splunk UBA when you want to exclude users or devices from anomalies.


See Create IDR exclusion lists in Splunk UBA in Get Data into Splunk User Behavior Analytics.

Support is provided for multivalue fields in assets data.


See Configure asset ingestion for multivalue fields.

Asset data is used by Splunk UBA to perform device resolution.


See Identify assets in your environment in Get Data into Splunk User Behavior Analytics.

Mask PII for auto-processed emails The email output connector now has an option to mask PII for auto-processed emails.


See Send Splunk UBA threats to analysts using email in Administer Splunk User Behavior Analytics..

Single sign-on configuration Single sign-on configuration in Splunk UBA is simplified. Use the Splunk UBA web interface to download and upload metadata files and automatically populate the required fields to integrate Splunk UBA with your SSO provider.


See Configure SSO using metadata files in Administer Splunk User Behavior Analytics.

Splunk UBA logging Splunk UBA logs can be sent to Splunk Enterprise using a custom index instead of _internal. Contact Splunk Support to obtain a new Splunk license so you can ingest Splunk UBA logs free of charge.


See Obtain a Splunk license for ingesting Splunk UBA logs.

IP allow lists and domain deny lists and allow lists. The default set of denied domains, allowed domains, and allowed IP addresses included with Splunk UBA are updated.


See Use allow and deny lists to generate or suppress anomalies in Get Data into Splunk user Behavior Analytics.

Splunk UBA Kafka Ingestion App If you are sending events from Splunk Enterprise directly to Kafka using the Splunk UBA Kafka Ingestion app, you can upgrade to version 1.2 of the app. This version is compatible with Splunk UBA and Splunk Enterprise using Python 3.


See Compatible Splunk Enterprise and Splunk UBA versions in the Splunk UBA Kafak Ingestion App manual.

MaxMind database The MaxMind location database is updated for accurate mapping of IP addresses to geographic locations.

New third-party software updates

This version of Splunk UBA includes the following third-party software updates. See Third-party credits in Splunk UBA.

  • OpenJDK is updated to version 1.8.0_191
  • InfluxDB is updated to version 1.7.7
  • Python is updated to version 3.6 and 3.7

External dependencies

A summary of external dependencies required to install Splunk UBA is included in the .tgz archive that you download for installation. View this summary by performing the following tasks:

  1. Download the Splunk_UBA_<version>-Packages_RHEL_<version>.tgz file.
  2. Look for the uba_rhel<version>_dependencies_rpms.txt file in the Splunk_UBA_<version>-Packages_RHEL_<version> folder. This file contains the external dependencies.

You can also download this external dependencies file:

Last modified on 07 June, 2023
  NEXT
Known Issues in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters