Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

Download manual as PDF

Download topic as PDF

Delete anomalies in Splunk UBA

Sometimes, anomalies may be generated and upon investigation, deemed to have low value. The following examples represent situations where anomalies would be expected and thus have less value than cases where anomalies would not be expected:

  • If you have a penetration tester on your network, the tester's behavior can create anomalies that do not indicate a real threat to your environment.
  • If one employee takes on additional job roles to cover another employee's vacation or leave, the employee's out-of-the-ordinary behaviors can generate anomalies.
  • An employee works remotely temporarily from an area where your company has no offices.

You can delete these anomalies to prevent them from generating threats, and also to affect a desired change in user risk scores. Only users with admin privileges can delete anomalies in Splunk UBA.

How does deleting anomalies affect other Splunk UBA components?

Deleting anomalies in Splunk UBA affects other Splunk UBA components in the following ways:

  • User risk scores are generated based on the anomalies and threats linked to the user. If you choose to delete anomalies, you may affect the threats that are generated and also the user risk scores.
  • Device risk scores are generated based on the anomalies and threats linked to the device. If you choose to delete anomalies, you may affect the threats that are generated and also the device risk scores.
  • Deleting anomalies as false positives does not affect Splunk UBA models. The models will continue to raise similar anomalies based on similar criteria.
  • Deleting anomalies does not trigger threat revalidation for threat models.
  • Deleting anomalies does trigger immediate threat revalidation for threat rules.

How to delete anomalies in Splunk UBA

There are two ways to delete anomalies in Splunk UBA:

  • Move anomalies to the trash and potentially restore them at a later date.
  • Permanently delete anomalies.

Anomalies moved to the trash do not get raised again, as they are still stored in the Splunk UBA database. Permanently deleted anomalies can be raised again because Splunk UBA models analyze the last 30 days worth of data. If the data warrants that an anomaly should be raised, Splunk UBA will create a new anomaly if the anomaly does not already exist in Splunk UBA, including in the trash.

Move anomalies to the trash

To move a single anomaly to the trash, perform the following tasks:

  1. Open the Anomaly Details for the anomaly that you would like to delete.
  2. Click Delete.
  3. Select Move to Trash.
  4. Click OK to confirm that you want to send the anomaly to the trash.

Move multiple anomalies from the anomalies table to the anomalies trash.

  1. Select Explore > Anomalies to open the Anomalies Table.
  2. Filter the anomalies to show only those you want to delete. For example, change the time selection and add a User Types filter of Accounts to show only account-based anomalies created more than 30 days ago.
  3. Click Actions > Delete Selected to delete all the anomalies shown.
  4. The number of anomalies being moved to the trash appears in parentheses. Verify that this number does not exceed the Limits for anomaly actions in Splunk UBA.
  5. Select Move to Trash.
  6. Click OK to confirm that you want to delete the anomalies.

Permanently delete anomalies

To permanently delete a single anomaly, perform the following tasks:

  1. Open the Anomaly Details for the anomaly that you would like to delete.
  2. Click Delete.
  3. Select Delete Permanently.
  4. Click OK to confirm that you want to delete the anomaly permanently.

Permanently delete multiple anomalies from the anomalies table. After you delete an anomaly in this way, you cannot restore it.

  1. Select Explore > Anomalies to open the Anomalies Table.
  2. Filter the anomalies to show only those you want to delete. For example, change the time selection and add a User Types filter of Accounts to show only account-based anomalies created more than 30 days ago.
  3. Click Actions > Delete Selected to delete all the anomalies shown.
  4. The number of anomalies being deleted appears in parentheses. Verify that this number does not exceed the Limits for anomaly actions in Splunk UBA.
  5. Select Delete Permanently.
  6. Click OK to confirm that you want to delete the anomalies.

View and restore anomalies in the trash

You can restore and view deleted anomalies in the trash, if they were deleted by accident or based on investigation details that are no longer accurate. After you delete anomalies, threats created by those anomalies can change or disappear. Similarly, after restoring deleted anomalies, new threats can be created or existing threats can change. User risk scores are also directly affected by deleting or restoring anomalies. See Splunk UBA adjusts threats after you take action on anomalies.

Perform the following tasks to review anomalies sent to the trash and restore anomalies sent to the trash in error from the Anomalies Trash view of the anomalies table:

  1. Select Explore > Anomalies.
  2. Select Actions > View Anomalies Trash.
    • To restore all anomalies previously sent to the trash, click Actions > Restore Anomalies.
    • To restore a selection of the anomalies previously sent to the trash, apply additional filters then click Actions > Restore Anomalies.
    • To restore a single anomaly sent to the trash, click the name to open the Anomaly Details view and click Restore from that view.

If necessary, you can review the IDs of permanently deleted anomalies in the /var/log/caspida/ruleengine/realtimeruleexecutor.log log file.

If you export anomalies to another system, such as Splunk Enterprise Security, an analyst can open a link to a deleted anomaly or an anomaly in the trash. You can still view and restore anomalies that have been sent to the trash, but you cannot review anomalies that have been permanently deleted. Following a link to a permanently deleted anomaly displays an error of The requested anomaly could not be found.

Splunk UBA cleans up old anomalies in the trash

The AnomalyPurger process runs daily after Midnight and removes all anomalies in the trash more than 90 days old. Perform the following tasks to modify this configuration as needed:

  1. Log in to The Splunk UBA master node as the caspida user.
  2. Edit the /etc/caspida/local/conf/uba-site.properties file.
  3. Configure the persistence.anomalies.trashed.maintain.days property to remove anomalies that are older than the specified number of days. The default is 90 days.
  4. When the AnomalyPurger process runs, batches of 300K anomalies are removed from the trash until until all anomalies in the trash are removed. Configure the persistence.anomalies.trashed.del.limit property to change the batch size as desired.
  5. Save and exit the /etc/caspida/local/conf/uba-site.properties file.
  6. In distributed deployments, synchronize the cluster.
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf

Limits for anomaly actions in Splunk UBA

Splunk UBA defines the following limits when taking action on anomalies, such as changing the score, moving to or removing from a watchlist, deleting anomalies, restoring anomalies from the trash, or any anomaly action rules affecting existing anomalies:

  • In 10 and 20 node clusters, you can perform a single anomaly action that includes up to 200K anomalies
  • In clusters of 7 nodes or fewer, you can perform a single anomaly action that includes up to 100K anomalies
Last modified on 31 March, 2020
PREVIOUS
Review current user activity
  NEXT
Close threats in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 4.3.1, 4.3.2, 4.3.3, 4.3.4, 5.0.0, 5.0.1, 5.0.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters