Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

Download manual as PDF

Download topic as PDF

Get started on the Splunk UBA home page

After you log in to Splunk User Behavior Analytics, you see the home page. Review the key indicators and panels to get an overview of the current security posture in your environment.

This screen image shows the Splunk UBA home page. The elements on this page are described in the following text.

Review key indicators

The following key indicators are available at the top of the home page:

  • Threats - Summarizes the total number of active threats in your environment
  • Anomalies - Summarizes the total number of anomalies in your environment
  • Users - Summarizes the total number of anomalous, known, and unknown users
  • Devices - Summarizes the total number of anomalous, internal, and external devices
  • Apps - Summarizes the total number of anomalous apps compared with the number of total apps.

Start investigative workflows

Using the green buttons on the right side of the home page, you can start several investigative workflows:

Review dashboard panels

Get an overview of recent suspicious activity by reviewing the dashboard panels.

  • Review the Latest Threats panel to see the most recent threats facing your organization. Click View Details to open the threats table and view all threats.
  • Track threats on the 7-Day Threats Timeline to identify recent trends in threat activity.
  • Review the Latest Anomalies panel to see the most recent anomalies identified in your organization. Click View Details to open the anomalies table and view all anomalies. See Review anomalies on the anomalies table.
  • Identify recent anomalies on the 7-Day Anomalies Timeline.
  • Make sure that event processing is flowing as expected with the Events Processing panel. Click the number of events to review the Events dashboard.
  • Review the 7-Day Events Trend to identify any unexpected changes in event processing.

Filter the scope of anomalies and threats

Click Scope on the menu bar to filter the anomalies and threats that are displayed in Splunk UBA. By default, anomalies and threats for all time are displayed. You can select one of the options to view anomalies and threats for a specific period of time:

  • Any Date (default)
  • Last 12 Months
  • Last 30 Days
  • Last 7 Days

Entity scoring for users, devices, and apps is affected by adjusting this filter. Entity scoring happens automatically on a daily basis.

Scope Selected in Splunk UBA How the Scope Affects Entity Scoring
Any Date Entity scoring is based on anomalies and threats from the past 2 months. This window of time can be customized by adjusting the entity.score.lookbackWindowMonths property in the /etc/caspida/local/conf/uba-site.properties file.
Last 12 Months Entity scoring is based on anomalies and threats from the past 2 months. This window of time can be customized by adjusting the entity.score.lookbackWindowMonths property in the /etc/caspida/local/conf/uba-site.properties file.
Last 30 Days Entity scoring is based on anomalies and threats from the past 30 days.
Last 7 Days Entity scoring is based on anomalies and threats from the past 7 days.

Entity scoring occurs in real time when new anomalies are raised, or when existing anomalies are placed in the trash, permanently deleted, or restored.

Some anomaly actions that should cause real time entity scoring adjustments may take up to 24 hours before the updated scores are reflected in Splunk UBA.

Last modified on 25 October, 2019
PREVIOUS
About Splunk User Behavior Analytics
  NEXT
Change user profile settings in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 5.0.0, 5.0.1, 5.0.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters