Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Identify assets in your environment

Asset data refers to information about the devices that are owned by your company. Splunk UBA ingests asset data from Splunk Enterprise daily using asset lookup queries. Splunk UBA uses this predefined device information in the following ways:

  • An in-memory cache is used to store some of the asset lookup results, which are used by Splunk UBA to perform device resolution. See Device resolution in Splunk UBA in Use Splunk User Behavior Analytics for more information about how Splunk UBA uses asset data to resolve device names.
  • Blacklist devices such as domain controllers, exchange servers, file servers, print servers or proxy servers that are not associated with a specific user.
  • Display additional metadata for devices in the system.

You can update the asset data information in Splunk UBA using one of the following methods:

Prerequisites for performing asset identification

You must perform asset identification after HR data is loaded into Splunk UBA, but before any event data is loaded.

In addition, verify the following on Splunk Enterprise:

  • The ldapsearch command must be available and capable of accessing the LDAP server. The ldapsearch command is used to retrieve domain controller information.

    Splunk UBA cannot obtain domain controller information in Splunk Cloud environments.

  • If you have Splunk Enterprise Security (ES), the asset table must be reachable through Splunk Enterprise. Access to the asset table is required to access the asset database.
  • References to indexes and sources of Windows Security events in Splunk Enterprise must be available. The indexes and sources are required to access proxy information.

Not all data at your site might be properly processed. In some cases, you may receive an error message in Splunk UBA, and in others, only in the log file.

Asset data fields

Assets in Splunk UBA can be searched using the fields below.

Field Data Type Description Example
hostname string Required. The hostname of the device. server1
blackListDeviceIr boolean Recommended. Indicates whether or not any IP addresses are associated with the MAC address for this device. Set to true to prevent any IP addresses from being associated with the MAC address for this device. See Exclude identity resolution for devices or users. false
blackListUserIr boolean Recommended. Indicates whether or not any users are associated with this device. Set to true to prevent any users from being associated with this device. See Exclude identity resolution for devices or users. false
app string The application name. Database
asset_tag string The asset ID on the physical asset tag such as a sticker that is typically placed on each device in your organization. 123456
bunit string The business unit that the device belongs to. EMEA, NorCal
city string The city where the device is located. Chicago
cost_center string The cost center that the device belongs to. SP01FIN
country string The country where the device is located. USA
created_by string The name of the user who created the device in the system. DevOps
department string The department that the device belongs to. Field Reps, ITS, Products, HR
deviceType string The type of device. client
dns_domain string The domain of the device. www.acmetech.org
dns string The FQDN of the device. server1.corp1.acmetech.org
ip array The IP address of the device. The field may contain multiple values. See Configure asset ingestion for multi-valued fields. 2.1.1.1
is_expected boolean Indicates whether or not this device is always expected. Alerts are generated if this device stops reporting events. true
latitude string The latitude location of the device. 37.780080
longitude string The longitude location of the device. -122.420170
mac array The MAC address of the device. The field may contain multiple values. See Configure asset ingestion for multi-valued fields. 00:50:ef:84:f1:21|00:50:ef:84:f1:20
managed_by string The manager of the device. admin
os string The operating system running on the device. macOS, WIndows
os_domain string The OS domain of the device. Windows
owner string The owner of the device. f.prefect@acmetech.org, DevOps, Bill
pci_domain string The PCI address domain of the device. dmz, untrust
serial string The serial number of the device. AB1C24D5EFGH
status string The hexadecimal Windows status code for the device. 0XC0000234 (user is currently locked out)
substatus string The hexadecimal sub-status code for the device. 0XC000006D (invalid username or authentication)
sys_created_on timestamp The date and time stamp of when the device was first entered into the system. The format is MM/DD/YYYY. 05/01/2019
sys_updated_on timestamp The data and time stamp of the last time the device was updated. For example, a laptop may be assigned to a new owner. The format is MM/DD/YYYY. 05/01/2019

Configure asset ingestion for multivalue fields

Some assets can have multiple values in a field, such as multiple IP addresses or MAC addresses. Splunk UBA creates separate devices for each IP address or MAC address if the addresses are separate by commas, as shown in the following example:

192.168.10.10,192.168.10.20,192.168.10.30

For data sources such as Splunk Enterprise Security (ES) that use a delimiter other than a comma, update the attribution.keyvalue.delimiter property in the uba-site.properties file to specify the desired delimiter. For example, to specify that multiple IP and MAC addresses are separated using a pipe (|) character instead of a comma:

attribution.keyvalue.delimiter=Device.ip=\\|,Device.mac=\\|
  • Device.ip describes the ip attribute of Device attribution and is case-sensitive.
  • Device.mac describes Mac attribute of Device attribution and is case-sensitive.
  • \\| represents the regex of the desired delimiter.

This example takes the IP addresses 192.168.10.10|192.168.10.20|192.168.10.30 and stores them as follows in Splunk UBA:

{192.168.10.10,192.168.10.20,192.168.10.30}

Remove or comment out the attribution.keyvalue.delimiter property to use a comma as the delimiter for multivalue fields.

Synchronize your Splunk UBA cluster after making any changes to your uba-site.properties file:

/opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf

Perform asset identification by using the Splunk Assets data source

After you meet the requirements for performing asset identification, you can begin asset identification by using the Splunk Assets data source.

Perform the following tasks to perform asset identification in Splunk UBA:

  1. Configure a Splunk Assets data source.
  2. Perform an LDAP query to obtain assets data from the Splunk platform.
  3. Modify the Splunk UBA asset configuration files.

Configure a Splunk Assets data source

Configure a Splunk Assets data source in Splunk UBA.

  1. In Splunk UBA, select Manage > Data Sources.
  2. Click New Data Source.
  3. Scroll down to the Device Attribution section, select Splunk Assets, and then click Next.
  4. Enter the connection details to the Splunk platform (name, URL, and authentication credentials), and then click Next. If you are connecting to Splunk ES, specify the Splunk ES search head as the URL of the data source.
  5. Specify the query frequency and search string to get WinEventSecurity data for proxy identification. The frequency interval begins when the data source is configured. For example, if you finish configuring the data source at 3:30PM and you select Daily as the frequency, Splunk UBA refreshes the asset data each day at 3:30PM. The query can only contain sourcetype and Splunk indexes. For example:

    index=main sourcetype=WinEventLog:Security

  6. Click OK.

Perform an LDAP query to obtain assets data from the Splunk platform

After you create a Splunk Assets data source, perform an LDAP query to create a lookup CSV file.

Use the following example as a guideline, and replace the commands and transformations as needed for your environment:

  1. Create an LDAP query such as the one below and run it on Splunk Enterprise. The query will create a CSV file that will be used later.

    | ldapsearch domain=<domain-name> search="(&(objectCategory=computer)(sAMAccountName=*))" attrs="accountExpires,cn,countryCode,dNSHostName,department,description,distinguishedName, division,isCriticalSystemObject,lastLogoff,lastLogon,lastLogonTimestamp,localPolicyFlags, logonCount,name,objectCategory,objectGUID,objectSid,operatingSystem,operatingSystemVersion, primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,userAccountControl, whenChanged,whenCreated" | outputlookup uba_ldapsearch_computers.csv

    Be sure to replace <domain-name> with an appropriate domain name for your environment.
  2. Schedule the LDAP query as a job to run every night around 10:00 PM local time. See Scheduling searches in the Splunk Enterprise Search Manual.

Modify the Splunk UBA asset configuration files

Modify the Splunk UBA asset configuration files to use the lookup CSV file you created earlier.

  1. Make local copies of the existing asset configuration files and put them in the /etc/caspida/local/conf folder:
    cp -a /etc/caspida/conf/asset_* /etc/caspida/local/conf/.
  2. Replace the contents /etc/caspida/local/conf/asset_dc_query.txt and add a lookup query such as the one below:

    | inputlookup uba_ldapsearch_computers.csv | fields - _raw | rex max_match=0 field=distinguishedName ".*?OU=(?<groups>[^,=]+),.*?" | eval deviceType=mvjoin(groups, " - ") | rename name as hostname, dNSHostName as dns, operatingSystem as os, countryCode as country, whenCreated as sys_created_on, whenChanged as sys_updated_on | eval blackListUserIr=IF((lower(deviceType)="domain controllers" OR like(lower(deviceType), "%prox%") OR like(lower(deviceType), "%exch%") OR like(lower(deviceType), "%dns%") OR lower(deviceType)="azurecoread"),"true","false") | table accountExpires,blackListUserIr,cn,country,department,description,deviceType, distinguishedName,division,dns,hostname,isCriticalSystemObject,lastLogoff,lastLogon, lastLogonTimestamp,localPolicyFlags,logonCount,objectCategory,objectGUID,objectSid, operatingSystemVersion,os,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType, sys_updated_on,sys_created_on,userAccountControl

  3. Update the /etc/caspida/local/conf/asset_es_pull_query.txt and /etc/caspida/local/conf/asset_proxy_query.txt files with valid queries that return no results. For example:

    | inputlookup uba_ldapsearch_computers.csv | search deviceType="abc"

  4. Run the following command to sync the configuration changes across your deployment.
    /opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
  5. Run the following commands to restart Splunk UBA services:
    /opt/caspida/bin/Caspida stop
    /opt/caspida/bin/Caspida start

Perform asset identification by using a CSV file

Perform asset identification by using a CSV file when you are not able to perform direct searches. Perform the LDAP query to create a lookup CSV file, then use the CSV file in a lookup query.

Use the following example as a guideline, and replace the commands and transformations as needed for your environment:

  1. Follow the instructions in Configure a Splunk Assets data source to create a Splunk Assets data source.
  2. Schedule the LDAP query as a job to run every night around 10:00 PM local time. See Scheduling searches in the Splunk Enterprise Search Manual.
  3. Specify an LDAP query such as the one below and create the CSV file:

    | ldapsearch domain=<domain-name> search="(&(objectCategory=computer)(sAMAccountName=*))" attrs="accountExpires,cn,countryCode,dNSHostName,department,description,distinguishedName, division,isCriticalSystemObject,lastLogoff,lastLogon,lastLogonTimestamp,localPolicyFlags, logonCount,name,objectCategory,objectGUID,objectSid,operatingSystem,operatingSystemVersion, primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,userAccountControl, whenChanged,whenCreated" | outputlookup uba_ldapsearch_computers.csv | stats count

    Be sure to replace <domain-name> with an appropriate domain name for your environment.
  4. Make local copies of the existing asset configuration files and put them in the /etc/caspida/local/conf folder:
    cp -a /etc/caspida/conf/asset_* /etc/caspida/local/conf/.
  5. Add a lookup query such as the one below to /etc/caspida/local/conf/asset_dc_query.txt:

    | inputlookup uba_ldapsearch_computers.csv | fields - _raw | rex max_match=0 field=distinguishedName ".*?OU=(?<groups>[^,=]+),.*?" | eval deviceType=mvjoin(groups, " - ") | rename name as hostname, dNSHostName as dns, operatingSystem as os, countryCode as country, whenCreated as sys_created_on, whenChanged as sys_updated_on | eval blackListUserIr=IF((lower(deviceType)="domain controllers" OR like(lower(deviceType), "%prox%") OR like(lower(deviceType), "%exch%") OR like(lower(deviceType), "%dns%") OR lower(deviceType)="azurecoread"),"true","false") | table accountExpires,blackListUserIr,cn,country,department,description,deviceType, distinguishedName,division,dns,hostname,isCriticalSystemObject,lastLogoff,lastLogon, lastLogonTimestamp,localPolicyFlags,logonCount,objectCategory,objectGUID,objectSid, operatingSystemVersion,os,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType, sys_updated_on,sys_created_on,userAccountControl

  6. Update the other two asset configuration files /etc/caspida/local/conf/asset_es_pull_query.txt and /etc/caspida/local/conf/asset_proxy_query.txt with valid queries that return no results. For example:

    | inputlookup uba_ldapsearch_computers.csv | search deviceType="abc"

View assets in your environment

Select Manage > Assets to view the assets identified in your environment.

Use Add Filter to limit the devices shown on this page.

Last modified on 21 August, 2020
Make changes to your HR data   Exclude identity resolution for devices or users

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters