Splunk® User Behavior Analytics

Send and Receive Data from the Splunk Platform

About the Splunk Add-on for Splunk UBA

The Splunk Add-on for Splunk UBA indexes data sent from Splunk User Behavior Analytics (UBA) to the Splunk platform and allows you to send data from the Splunk platform to Splunk UBA. The Splunk Add-on for Splunk UBA consists of two separate add-ons:

  • The SA-UEBA add-on is installed in the SA-UEBA directory and is a supporting add-on for Splunk UBA. This add-on is disabled by default. The SA-UEBA add-on has no configuration options and only needs to be enabled in your environment.
  • The Splunk Add-on for UEBA is installed in the Splunk_TA_ueba directory and is a technology add-on for Splunk UBA. This add-on is enabled by default and has configuration options.

How do I obtain the Splunk Add-on for Splunk UBA?

The Splunk Add-on for UBA is not available for download on Splunkbase. The add-on is installed by default with Splunk Enterprise Security (ES). If you find that the Splunk Add-on for UBA is not installed, run the Splunk Enterprise Security Post-Install Configuration again and ensure that Splunk_TA_ueba is selected for installation. See Install Splunk Enterprise Security in the Splunk Enterprise Security Installation and Upgrade manual.

Functionality provided by the Splunk Add-on for Splunk UBA

In any environment with both Splunk UBA and Splunk ES, both add-ons included in the Splunk Add-on for Splunk UBA are required and both must be enabled.

The SA-UEBA add-on provides the following features and capabilities:

  • Contains the ueba data model definition for Splunk UBA threats and anomalies which provides accelerated Splunk UBA information to Splunk ES.
  • Defines the ubauser, ubadevice, ubahistory, and ubaevents macros in Splunk ES.
  • Defines multiple correlation searches relating to Splunk UBA anomaly and threat detection:
    • Threat - UEBA Threat Detected (Notable) – Rule

    • Threat - UEBA Threat Detected (Risk) – Rule

    • Threat - UEBA Anomaly Detected (Risk) – Rule
  • Defines multiple key-indicator searches for populating Splunk web in Splunk ES, such as anomaly actors, anomaly signatures, anomalies per threat, and total anomalies.
  • Defines the UEBA - Notable External Reference - Lookup Gen lookup generation search.
  • Defines multiple swim-lane searches for populating Splunk Web in Splunk ES, such as UEBA Threats By Asset, UEBA Threats By Identity, UBA Anomalies By Asset, and UBA Anomalies By Identity.

The Splunk Add-on for UEBA provides the following features and capabilities:

  • Contains the send2uba function which allows saved search results to be forwarded to Splunk UBA.
  • Defines the edit_uba_settings capability which is added to the ess_admin role in Splunk ES and can be assigned.
  • Defines the syslog-based output for Splunk UBA data in the ubaroute index.
  • Defines multiple macros used to enrich events within Splunk ES to make them compatible with Splunk UBA.
  • Defines the Event Drilldown workflow. See Use event drilldown to review an anomaly's raw events in the Use Splunk User Behavior Analytics manual.
  • Contains lookups that can be referenced, such as a lookup for converting a Splunk UBA threat score into a Splunk ES urgency value.
  • Enables Splunk ES to retrieve user and device association data from Splunk UBA.

See the following table for a summary of the functionality provided by SA-UEBA and the Splunk Add-on for UEBA.

Feature SA-UEBA Splunk Add-on for UEBA
Visible? No Yes, this add-on contains a view for configuration.
Collection method TCP TCP port 10008
CIM Compliance None None. This data maps to the UEBA data model included with Splunk ES. See Data models used by ES in the Developer Guide for Splunk Cloud Platform and Splunk Enterprise.
Sourcetypes uba_audit ueba, stash_uba
Indexes N/A ueba, ubaroute
Last modified on 12 April, 2024
How Splunk UBA sends and receives data from the Splunk platform   Requirements for using the Splunk Add-on for Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters