Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

Download manual as PDF

Download topic as PDF

Investigate threats from Splunk UBA using Splunk Enterprise Security

Threats sent from Splunk UBA to Splunk Enterprise Security (ES) appear as notable events on the Incident Review and Security Posture dashboards. You can see the count of notable events created from threats on the Security Posture dashboard as a Key Security Indicator (KSI).

On Incident Review, you can expand the event details to see the description, threat category, correlation search referencing Splunk UBA, and more details. Use the workflow actions on the event to view contributing anomalies and open the Threat Details page in Splunk UBA.

Integrating Splunk UBA to send threats to Splunk ES as notable events and synchronizing the status of the threats and notable events on both systems is enabled by default.

To send events from Splunk UBA to Splunk Enterprise without using Splunk ES, add the uba.splunkes.integration.enabled property to the /etc/caspida/local/conf/uba-site.properties file and set the property to false. See Send Splunk UBA data to Splunk Enterprise without Splunk Enterprise Security.

Use Splunk ES to close or reopen notable events in order to have the corresponding threats also be closed or reopened in Splunk UBA. Do not close or reopening threats in Splunk UBA.

Prerequisites

Splunk UBA and Splunk ES must be configured as follows for Splunk UBA to be able to send threats to Splunk ES:

  • Review the compatible Splunk ES and Splunk UBA versions. See Compatible software versions and available functionality in the Splunk Add-on for Splunk UBA manual.
  • Verify that the name of the Splunk UBA server is specified correctly in Splunk ES.
    The name of the Splunk UBA server that you specified when running the /opt/caspida/bin/Caspida setup command during installation must match the value stored in the uiServer.host property in the /etc/caspida/local/conf/uba-site.properties file in Splunk UBA. The name of the Splunk UBA server that was specified during setup is stored in the /opt/caspida/conf/deployment/caspida-deployment.conf file.
    • If you specified a Splunk UBA host name such as ubahost1 during setup, make sure that uiServer.host is set to the same host name.
    • If you specified an IP address such as 10.11.12.1 during setup, make sure that uiServer.host is set to the same IP address.
  • Configure an output connector to send threats from Splunk UBA to Splunk ES.
    You must provide a username and password for a Splunk ES account with at least the permissions granted by the ess_analyst role with edit_reviewstatuses capability so that Splunk UBA is fully authorized for this integration. This privilege level is required so that Splunk UBA can access the Splunk ES APIs and make changes to the status of notable events. See Integrate Splunk Enterprise Security with Splunk UBA in the Splunk add-on for Splunk UBA manual.

    If you are upgrading to Splunk UBA 4.3.0 from an earlier release, existing Splunk ES output connectors must be updated by providing a username and password.

Once the output connector is configured, Splunk UBA attempts to send threats to Splunk ES every five minutes with no limits on the number of retries. Any issues with the connection mean that new threats will not be sent to Splunk ES until the connection issues are resolved. Any connection issues between the output connector and Splunk ES also affect other output connectors that may be configured, such as email and ServiceNow. If the connection issues persist for more than one hour, alerts are generated in the health monitor in Splunk UBA. See Monitor the health of your Splunk UBA deployment.

Modify the uba.splunkes.retry.delay.minutes property in the etc/caspida/local/conf/uba-site.properties file to change the number of minutes for the retry interval.

Work with Splunk UBA threats as notable events in Splunk Enterprise Security

When Splunk UBA and Splunk ES are integrated using an output connector, Splunk UBA creates a new custom status on Splunk ES called Closed in Uba. The status of threats in Splunk UBA and their corresponding notable events in Splunk ES are synchronized.

This screen image shows the Status Configuration page in Splunk ES with a list of available statuses for notable events. The status with the label Closed in Uba is highlighted.

What happens when a threat is closed in Splunk UBA

Threats in Splunk UBA can be closed by the user, or closed by the system:

  • Threats in Splunk UBA are considered closed by the user if Not a Threat is clicked in Splunk UBA.
  • In all other cases, the threat in Splunk UBA is considered to be closed by the system.

When a threat is closed in Splunk UBA, Splunk UBA checks the status of the corresponding notable event in Splunk ES. If the notable event is not already closed in Splunk ES, Splunk UBA closes the notable event by setting the end status to Closed in Uba.

If the notable event is reopened in Splunk ES, a threat closed by the user in Splunk UBA is reopened. A threat closed by the system remains closed in Splunk UBA. The threat can still be viewed, but no action can be taken on the threat.

This screen image shows a flowchart of threats in Splunk UBA and their corresponding notable events in Splunk Enterprise Security. The flow of the data is described in the surrounding text.

What happens when a threat is reopened in Splunk UBA

A threat in Splunk UBA can be reopened in the following cases:

  • Threat computation causes a threat to be reopened
  • An anomaly action rule affects anomalies that cause a threat to be reopened
  • A threat rule is modified, causing a threat to be reopened

When a threat is reopened, Splunk UBA checks to see if the notable event in Splunk ES has an end status of ClosedInUba and if yes, the notable event is also reopened.

No action is taken if the notable event is already open in Splunk ES, or if it has an end status other than ClosedInUba.

Splunk UBA queries for the status of notable events in Splunk ES

Splunk UBA queries Splunk ES in five-minute intervals to synchronize the status of threats in Splunk UBA and notable events in Splunk ES.

When the query detects that a notable event is closed, Splunk UBA checks to see if the corresponding threat is also closed. If not, the threat is closed with a status of ClosedbyUser.

This flowchart shows what happens to a threat in Splunk UBA when the status of its notable event is closed. If the threat is already closed in Splunk UBA, then no action is taken. If the threat is still active in Splunk UBA, then it is closed with a status of ClosedByUser.

When the query detects that a notable event is not closed, Splunk UBA checks to see if the corresponding threat has a status of ClosedbyUser. If so, the threat is reopened with a status of Active.

This flowchart shows what happens to a threat in Splunk UBA when the status of its notable event is not closed. If the threat does not have a status of ClosedByUser in Splunk UBA, then no action is taken. If the threat has a status of ClosedByUser in Splunk UBA, then it is reopened with a status of Active.

What happens if the output connector is unable to send threats to Splunk ES

If the output connector is unable to send threats to Splunk ES, due to a network issue or Splunk ES being temporarily unavailable, the output connector will make another attempt every five minutes. After one hour, if the connection is not resolved, the output connector will raise an error in the health monitor. See OCS-11.

PREVIOUS
Investigate and monitor domains
  NEXT
Investigate suspicious activity as a hunter

This documentation applies to the following versions of Splunk® User Behavior Analytics: 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 5.0.0, 5.0.1, 5.0.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters