Investigate threats from Splunk UBA using Splunk Enterprise Security
Threats sent from Splunk UBA to Splunk Enterprise Security (ES) appear as notable events on the Incident Review and Security Posture dashboards. You can see the count of notable events created from threats on the Security Posture dashboard as a Key Security Indicator (KSI).
On Incident Review, you can expand the event details to see the description, threat category, correlation search referencing Splunk UBA, and more details. Use the workflow actions on the event to view contributing anomalies and open the Threat Details page in Splunk UBA.
Integrating Splunk UBA to send threats to Splunk ES as notable events and synchronizing the status of the threats and notable events on both systems is enabled by default.
To send events from Splunk UBA to Splunk Enterprise without using Splunk ES, add the
uba.splunkes.integration.enabled property to the
/etc/caspida/local/conf/uba-site.properties file and set the property to
false. See Send Splunk UBA data to Splunk Enterprise without Splunk Enterprise Security.
Use Splunk ES to close or reopen notable events in order to have the corresponding threats also be closed or reopened in Splunk UBA. Do not close or reopening threats in Splunk UBA.
Splunk UBA and Splunk ES must be configured as follows for Splunk UBA to be able to send threats to Splunk ES:
- Review the compatible Splunk ES and Splunk UBA versions. See Compatible software versions and available functionality in the Splunk Add-on for Splunk UBA manual.
- Verify that the name of the Splunk UBA server is specified correctly in Splunk ES.
The name of the Splunk UBA server that you specified when running the
/opt/caspida/bin/Caspida setupcommand during installation must match the value stored in the
uiServer.hostproperty in the
/etc/caspida/local/conf/uba-site.propertiesfile in Splunk UBA. The name of the Splunk UBA server that was specified during setup is stored in the
- If you specified a Splunk UBA host name such as
ubahost1during setup, make sure that
uiServer.hostis set to the same host name.
- If you specified an IP address such as
10.11.12.1during setup, make sure that
uiServer.hostis set to the same IP address.
- If you specified a Splunk UBA host name such as
- Configure an output connector to send threats from Splunk UBA to Splunk ES.
You must provide a username and password for a Splunk ES account with at least the permissions granted by the
edit_reviewstatusescapability so that Splunk UBA is fully authorized for this integration. This privilege level is required so that Splunk UBA can access the Splunk ES APIs and make changes to the status of notable events. See Integrate Splunk Enterprise Security with Splunk UBA in the Splunk add-on for Splunk UBA manual.
If you are upgrading to Splunk UBA 4.3.0 from an earlier release, existing Splunk ES output connectors must be updated by providing a username and password.
Once the output connector is configured, Splunk UBA attempts to send threats to Splunk ES every five minutes with no limits on the number of retries. Any issues with the connection mean that new threats will not be sent to Splunk ES until the connection issues are resolved. Any connection issues between the output connector and Splunk ES also affect other output connectors that may be configured, such as email and ServiceNow. If the connection issues persist for more than one hour, alerts are generated in the health monitor in Splunk UBA. See Monitor the health of your Splunk UBA deployment.
uba.splunkes.retry.delay.minutes property in the
etc/caspida/local/conf/uba-site.properties file to change the number of minutes for the retry interval.
Work with Splunk UBA threats as notable events in Splunk Enterprise Security
When Splunk UBA and Splunk ES are integrated using an output connector, Splunk UBA creates a new custom status on Splunk ES called Closed in Uba. The status of threats in Splunk UBA and their corresponding notable events in Splunk ES are synchronized.
What happens when a threat is closed in Splunk UBA
Threats in Splunk UBA can be closed by the user, or closed by the system:
- Threats in Splunk UBA are considered closed by the user if Not a Threat is clicked in Splunk UBA.
- In all other cases, the threat in Splunk UBA is considered to be closed by the system.
When a threat is closed in Splunk UBA, Splunk UBA checks the status of the corresponding notable event in Splunk ES. If the notable event is not already closed in Splunk ES, Splunk UBA closes the notable event by setting the end status to
Closed in Uba.
If the notable event is reopened in Splunk ES, a threat closed by the user in Splunk UBA is reopened. A threat closed by the system remains closed in Splunk UBA. The threat can still be viewed, but no action can be taken on the threat.
What happens when a threat is reopened in Splunk UBA
A threat in Splunk UBA can be reopened in the following cases:
- Threat computation causes a threat to be reopened
- An anomaly action rule affects anomalies that cause a threat to be reopened
- A threat rule is modified, causing a threat to be reopened
When a threat is reopened, Splunk UBA checks to see if the notable event in Splunk ES has an end status of
ClosedInUba and if yes, the notable event is also reopened.
No action is taken if the notable event is already open in Splunk ES, or if it has an end status other than
Splunk UBA queries for the status of notable events in Splunk ES
Splunk UBA queries Splunk ES in five-minute intervals to synchronize the status of threats in Splunk UBA and notable events in Splunk ES.
When the query detects that a notable event is closed, Splunk UBA checks to see if the corresponding threat is also closed. If not, the threat is closed with a status of
When the query detects that a notable event is not closed, Splunk UBA checks to see if the corresponding threat has a status of
ClosedbyUser. If so, the threat is reopened with a status of
What happens if the output connector is unable to send threats to Splunk ES
If the output connector is unable to send threats to Splunk ES, due to a network issue or Splunk ES being temporarily unavailable, the output connector will make another attempt every five minutes. After one hour, if the connection is not resolved, the output connector will raise an error in the health monitor. See OCS-11.
Investigate and monitor domains
Investigate suspicious activity as a hunter
This documentation applies to the following versions of Splunk® User Behavior Analytics: 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 5.0.0, 5.0.1, 5.0.2