Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

Download manual as PDF

Download topic as PDF

Use event drilldown to review an anomaly's raw events

Use event drilldown on the Anomaly Details page to review raw events in Splunk Enterprise that led to anomaly creation in Splunk UBA. Event drilldown is only available for anomalies generated by models, not for rule-based anomalies.

Prerequisites for using event drilldown

Verify the following before you are able to use event drilldown:

  • Splunk UBA must be connected to Splunk Enterprise. Follow the instructions in Connect Splunk UBA to Splunk Enterprise to view an anomaly's raw events to define the search heads and search head clusters in your Splunk Enterprise deployment.
  • Any Splunk UBA user with any role can review an anomaly's raw events in Splunk Enterprise using their own credentials. The person viewing the events does not have to be the same person who on-boarded the data into Splunk Enterprise. However, in some cases, the generated URL may be too long to be processed by the Splunk HTTP server. If this happens, perform the following tasks:
    1. Set the following property in the /etc/caspida/local/conf/uba-site.properties file in Splunk UBA:
      triggering.event.search.backend.submission = true
    2. In distributed deployments, synchronize the cluster:
      /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
    3. Restart the job manager:
      sudo service  caspida-jobmanager stop
      sudo service  caspida-jobmanager start
      
    This causes Splunk UBA to submit the generated SPL to Splunk Enterprise using the role of the data source. The search job's permission allows read access for any user belonging to the Splunk roles starting with uba_. See Manage user accounts and account roles in Splunk UBA.

Where do I see event drilldown?

The Event Drilldown panel appears on the Anomaly Details page. The following example shows the Event Drilldown panel for the Download from Internal Server anomaly, which is generated by an offline model:

This screen image shows the details page for the Download from Internal Server anomaly. There is a highlighted section at the bottom called Event Drilldown.

The Event Drilldown panel for anomalies generated by streaming models such as Suspicious Network Connection are populated with a sample event, as shown in the example below:

This screen image shows the details page for the Suspicious Network Connection anomaly. There is a highlighted section at the bottom called Event Drilldown.

Use and configure event drilldown

To use event drilldown, perform the following tasks:

  1. Click Generate Contributing Events Link(s) to generate a link called View Events Link. Splunk UBA pre-calculates this link for certain types of anomalies so that View Events Link is visible when the Anomaly Details page is loaded for the first time. See Splunk UBA caches SPL for important anomalies.
  2. Click View Events Link to view raw events in Splunk Enterprise and begin your investigation. The Generate Contributing Events Link(s) button is inactive and will remain this way unless you change the Advanced Identity Lookup toggle. See Use Advanced Identity Lookup.

When there are events coming from search heads in multiple search head clusters to generate an anomaly, you will see multiple View Events Link links after you click Generate Contributing Events Link(s).

When you click on View Events Link, an SPL query is automatically generated using relevant data from the anomaly, including username, email ID, IP addresses (internal and external), host names (if available), and time range. Use this query to collect more supporting evidence from Splunk Enterprise. In environments with search heads in multiple clusters, each View Events Link link generates its own SPL query.

Macros are not supported when using event drilldown events. If a data source contains a macro in its generated SPL, the data source will be skipped.

Splunk UBA caches SPL for important anomalies

Splunk UBA caches the SPL for important anomalies. Raw events for the following types of anomalies are pre-populated and cached in Splunk UBA. When you load the Anomaly Details page, the View Events Link link is already visible for anomalies in either of the following categories:

  • Anomalies included in a threat
  • Anomalies with a score of 8 or higher

You can adjust the anomaly score threshold by performing the following tasks:

  1. Configure the triggering.event.pre.calculate.links.anomaly.threshold property in the /etc/caspida/local/conf/uba-site.properties file to adjust the anomaly score threshold. The default is 8. As an example, you can set the threshold to 9 if you only want anomalies with a score of 9 or higher to be pre-populated and cached in Splunk UBA.
  2. In distributed deployments, synchronize the cluster:
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Restart the job manager:
    sudo service  caspida-jobmanager stop
    sudo service  caspida-jobmanager start
    

Use Advanced Identity Lookup

Enable the Advanced Identity Lookup toggle to view the original IDs in the raw events instead of the Splunk UBA entity name. For example, instead of seeing the resolved device name of jsmith-laptop, you want to see the actual IP address of the device instead to aid in your investigation.

If you have already generated a View Events Link by clicking Generate Contributing Events Link(s) and the Generate Contributing Events Link(s) is inactive, changing the Advanced Identity Lookup toggle makes the Generate Contributing Events Link(s) active again. You can click on Generate Contributing Events Link(s) to generate new links.

  • Splunk UBA requires up to two hours to generate advanced identity data for events. If an anomaly is not yet two hours old, this toggle is disabled until the anomaly is more than two hours old.
  • When the toggle is enabled, identity data from the past 7 days is used to view contributing events. If an anomaly is more than 7 days old and event drilldown links have not been calculated before, this toggle is disabled and cannot be changed.
  • For anomalies that already have calculated links, the toggle appears in the position that was used to generate the links. You can change the toggle position and generate new links.

Configure properties to increase the timeout interval

If you see a "Triggering Event time out" error message, perform the following tasks:

  1. Adjust the time out value in the triggering.event.timeout.millis property in the /etc/caspida/local/conf/uba-site.properties file. The default timeout value is 5 minutes, or 300,000 milliseconds.
  2. In distributed deployments, synchronize the cluster:
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Restart the job manager:
    sudo service  caspida-jobmanager stop
    sudo service  caspida-jobmanager start
    
Last modified on 18 October, 2019
PREVIOUS
Review anomalies on the anomalies table
  NEXT
See all users on the user table

This documentation applies to the following versions of Splunk® User Behavior Analytics: 4.3.1, 4.3.2, 4.3.3, 4.3.4, 5.0.0, 5.0.1, 5.0.2, 5.0.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters