Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

Download manual as PDF

Download topic as PDF

See all devices on the devices table

The devices table provides a view of all devices identified in your environment. Select Explore > Devices to view the table. By default, the table shows only devices that have a device resolution status of resolved.

This screen image shows the Splunk UBA Devices table. The main elements in the image are described in the surrounding text.

The table shows the host name of the device, if known, the device scope, the number of anomalies or threats that involve the device, and the score of the device. Click a row to view more information about the device.

Device scope is set to internal by default.

  • External devices are identified by their IP address. See Configure Splunk UBA to define which IP addresses are internal to your organization.
  • Internal devices are assets such as laptops that belong to your own organization. See Identify assets in your environment for more information about how Splunk UBA identifies assets data.

Device resolution in Splunk UBA

The number of devices displayed on dashboards in Splunk UBA refers to the number of resolved devices. Splunk UBA normalizes names of devices based on AD domains and other information in a process called device resolution.

Devices in Splunk UBA are identified by one of the following properties:

  • IP address, which is a virtual representation of a device and does not represent any physical device. This property has the lowest rank of the device identifiers.
  • MAC address, which is the physical identifier of a device and does not change. This property is the second highest in rank among the device identifiers.
  • Host name, which is a virtual but more readable representation of a physical device. Host names are assigned in each individual device or on the DNS server and are easy to recognize, so this property has the highest ranking among the device identifiers.

The rankings are used when determining the status of any device in the system. Device identifiers in Splunk UBA have three potential resolution statuses depending on the information available to associate device identifiers.

Device resolution status Description
unresolved Devices in Splunk UBA are unresolved when the only device identifier is an IP address and there is no association with other device identifiers.

For example, a Weblog entry is ingested into Splunk UBA and contains the IP address 10.10.120.130. This IP address is new to Splunk UBA and if there is no corresponding MAC address or host name, the status of 10.10.120.130 is unresolved.

Unresolved devices do not appear in Splunk UBA unless they are part of an anomaly.

superseded Devices in Splunk UBA change to superseded status when Splunk UBA identifies a DNS name or MAC address associated with the IP address of an unresolved device. The device identifier status for the IP address changes to superseded to reflect the additional information. Also when Splunk UBA identifies a DNS name associated with a MAC address, the MAC address device identifier status updates to superseded.

For example, the same IP address 10.10.120.130 is found in a DHCP log in an entry containing the MAC address 00:25:96:FF:FE:12:34:56. When this happens:

  • The IP address 10.10.120.130 will have a status of superseded.
  • The MAC address 00:25:96:FF:FE:12:34:56 will have a status of resolved.

Suppose a DNS log entry contains both the IP address 10.10.120.130 and the MAC address 00:25:96:FF:FE:12:34:56 along with a host name of TestMAC. Now,

  • The IP address 10.10.120.130 will have a status of superseded.
  • The MAC address 00:25:96:FF:FE:12:34:56 will have a status of superseded.
  • The host name TestMAC will have a status of resolved.
resolved The device identifier is a DNS name or a MAC address, and might have an IP address associated with it. A device with only an IP addresses associated with it can never have a status of resolved.

The process of device resolution is summarized in the flowchart:

This screen image shows the process how Splunk UBA performs device resolution. The process is described in the table immediately preceding this graphic.

Splunk UBA ingests asset data from Splunk Enterprise daily using asset lookup queries. Asset data is used by Splunk UBA to perform device resolution. See Identify assets in your environment for more information.

By default, only resolved device identifiers appear on Splunk UBA dashboards. The data science models in Splunk UBA only use resolved devices. By default, Splunk UBA treats all devices as internal devices, unless they are represented by an external domain name or a routable IP address.

You must define the AD domains in use in your organization for device names to be accurately identified. See Define the AD domains in use for devices for details.

Review the device details

Click on a device in the device table to view the device details.

  • Review the device facts that are available, such as IP address, MAC address, device scope, and device type.
  • Review the Device Score Trend to see how the risk score for the device has changed over time.
  • Review the Data Transfer by User and Logins by User too see how much data was transferred by which user, and which users have logged on to the device and how frequently. Click on View Details for more information.
  • Review the User Attributions for a summary of each user interaction with the device over time. The start time, end time, duration, and number of events generated for each session can be viewed.
  • Review the Device Event for information about how the device was created in the system.
  • If the device has any location data, you can view the location of the device on the Device Location map.
Last modified on 07 January, 2020
PREVIOUS
See all users on the user table
  NEXT
Customize your table view in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters