Manage Splunk UBA configuration properties in the uba-site.properties file
Configure Splunk UBA using the properties in the /etc/caspida/local/conf/uba-site.properties
file. Customizations made in this file are not modified during any upgrade procedures. See How to set configuration properties in Splunk UBA.
Configure Splunk UBA properties for the following product areas:
- Splunk UBA environment properties
- Splunk UBA and Splunk Enterprise Security (ES) properties
- Event drilldown properties
- Raw event data ingestion properties
- Asset and identity data ingestion properties
- Kafka data ingestion properties
- Anomaly and threat properties
- Backup and restore properties
In the tables in each section, the values in the Default behavior column indicate the default Splunk UBA behavior when a configuration property is not set.
How to set configuration properties in Splunk UBA
A file called /opt/caspida/conf/uba-default.properties
is used by Splunk UBA to manage many of the processes and micro-services required to operate Splunk UBA. To edit any of these default properties, or to add new properties, copy this file to /etc/caspida/local/conf/uba-site.properties
file. Only edit the uba-site.properties
file when changes are required. The /etc/caspida/local/conf
directory is not affected by any upgrade scripts so configuration changes in this location can persist across product upgrades.
Perform the following steps to edit the /etc/caspida/local/conf/uba-site.properties
and have the changes take effect:
- Log in to the Splunk UBA management node as the caspida user.
- Edit the
/etc/caspida/local/conf/uba-site.properties
file and add or edit the desired property and value. - Save and exit the file.
- Synchronize the configuration changes across the cluster:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
- Stop and restart Caspida.
/opt/caspida/bin/Caspida stop /opt/caspida/bin/Caspida start
Splunk UBA environment properties
This table lists the configuration properties affecting your Splunk UBA setup.
Property | Description | Default behavior |
---|---|---|
system.docker.networkcidr | Use this property to customize the IP addresses of your Docker containers to avoid conflicts in your network. | Not set. |
ui.idleTimeout | Use this property to change or disable the timeout value for the Splunk UBA web interface. | 30 minutes |
Health monitor indicators | Many health monitor indicators have configurable properties that allow you change the threshold at which a warning or error is generated. | Varies. |
Splunk UBA and Splunk Enterprise Security integration properties
This table lists the configuration properties for Splunk UBA and Splunk Enterprise Security (ES) integration.
Property | Description | Default behavior |
---|---|---|
uba.splunkes.integration.enabled | Define whether or not Splunk UBA integration with Splunk ES is enabled.
|
true |
uba.splunkes.retry.delay.minutes | Configure how often Splunk UBA sends threats to Splunk ES.
|
5 minutes |
uiServer.host | The name of the Splunk UBA server specified when running the /opt/caspida/bin/Caspida setup command during Splunk UBA installation must match the value stored in the uiServer.host property in the /etc/caspida/local/conf/uba-site.properties file in Splunk UBA.
|
N/A |
uba.sys.audit.push.splunk.enabled | Set this property to true to enable Splunk UBA audit events to be sent to Splunk ES.
|
Not set. |
identity.resolution.export.enabled | Set this property to true to send user and device association data from Splunk UBA to Splunk ES. User and device association data from Splunk UBA is visible on the Session Center dashboard in Splunk ES.
|
true |
Event drilldown properties
This table lists the configuration properties for using event drilldown in Splunk UBA.
Property | Description | Default behavior |
---|---|---|
triggering.event.pre.calculate.links.anomaly.threshold | Adjust the anomaly score threshold for caching the SPL to retrieve contributing anomalies.
See Splunk UBA caches the SPL for important anomalies in Use Splunk User Behavior Analytics. |
8 |
triggering.event.timeout.millis | Timeout value for the SPL in retrieving an anomaly's contributing events.
|
300000 |
triggering.event.enable.reverse.ir | Whether or not to enable reverse IR.
|
false |
triggering.event.search.backend.submission | Submit the generated SPL to the Splunk platform using same credentials as the one used to create the data source.
|
true |
Raw event data ingestion properties
This table lists the configuration properties for Splunk UBA to ingest raw events from the Splunk platform.
Property | Description | Default behavior |
---|---|---|
splunk.live.micro.batching | Splunk UBA ingests data from the Splunk platform by performing micro batch queries.
|
true |
splunk.live.micro.batching.delay.seconds | Define the point in time where Splunk UBA begins data ingestion.
|
180 |
splunk.live.micro.batching.interval.seconds | The length of time for each micro batch query.
|
60 seconds |
connector.splunk.max.backtrace.time.in.hour | The window of time that determines when to begin data ingestion, especially after a data source is stopped and then restarted.
|
4 hours |
parser.global.input_timezone | Set the time zone you want to use when ingesting events, in particular for file-based data sources.
|
UTC |
Asset and identity data ingestion properties
This table lists the configuration properties for Splunk UBA to ingest asset and identity data.
Property | Description | Default behavior |
---|---|---|
attribution.keyvalue.delimiter | The delimiter to use when ingesting assets data with multi-values fields.
|
Comma (,) |
assets.proxy.query.adformat | Specify whether Splunk UBA should use MULTILINE or XML format when querying Windows Security Event logs for proxy servers.
|
MULTILINE |
identity.resolution.blacklist.threshold.device.hostnamecount | To help Splunk UBA identify multi-user systems, data from last 24 hours is analyzed to find occurrences of more than 2 device mappings per hour for more than 6 hours. Edit this property to change the number of device mappings.
|
2 |
identity.resolution.blacklist.threshold.device.hostnamehours | To help Splunk UBA identify multi-user systems, data from last 24 hours is analyzed to find occurrences of more than 2 device mappings per hour for more than 6 hours. Edit this property to change the number of consecutive hours.
|
6 |
identity.resolution.hrcache.capacity | Set the value of this property to three times the number of HR accounts being monitored by Splunk UBA to avoid potential performance issues.
|
300,000 |
Kafka data ingestion properties
This table lists the configuration properties related to anomalies and threats in Splunk UBA.
For additional documentation about these properties, see Configure Kafka data ingestion in the Splunk UBA Kafka Ingestion App manual.
Property | Description | Default behavior |
---|---|---|
splunk.kafka.ingestion.search.delay.seconds | The point in time where Splunk UBA begins Kafka ingestion. | 180 seconds |
splunk.kafka.ingestion.search.interval.seconds | The length of the time in seconds for each batch query. | 60 seconds |
splunk.kafka.ingestion.search.max.lag.seconds | The maximum, lag, or amount of time between the end time of the most recent batch query and the time Kafka ingestion starts. | 3600 seconds |
Anomaly and threat properties
This table lists the configuration properties related to anomalies and threats in Splunk UBA.
Property | Description | Default behavior |
---|---|---|
entity.score.lookbackWindowMonths | Entity scoring is based on anomalies and threats from the past 2 months. Configure this property to change the time window.
|
2 months |
persistence.anomalies.trashed.maintain.days | Splunk UBA purges anomalies more than 90 days old. Configure the property to change this value.
|
90 days |
persistance.anomalies.trashed.del.limit | Splunk UBA removes batches of 300,000 anomalies when purging old anomalies. Configure the property to change the batch size.
|
300,000 |
rule.engine.process.timeout.min | The number of minutes allowed for a threat rule to run and complete before it times out.
|
60 |
Automated incremental backup and restore properties
This table lists the configuration properties related to automated incremental backup and restore in Splunk UBA.
For additional documentation about these properties, see Configure automated incremental backups in Splunk UBA.
Property | Description | Default behavior |
---|---|---|
backup.filesystem.full.interval | The frequency with which Splunk UBA performs an automated full backup without stopping Splunk UBA. | 1 week |
backup.filesystem.enabled | Set this property to designate whether or not automated backups are enabled on the system. | true |
backup.filesystem.directory | Set this property to designate the location where the automated backups are stored. | /backup |
Warm standby properties
This table lists the configuration properties related to warm standby in Splunk UBA.
For more information about these properties, see Set up the standby Splunk UBA system.
Property | Description | Default behavior |
---|---|---|
replication.enabled | Set this property to enable the primary system to synchronize with the standby system. | Not set |
replication.primary.host | Specify the management node of the primary Splunk UBA cluster. | Not set |
replication.standby.host | Specify the management node of the standby Splunk UBA cluster. | Not set |
Custom content properties
This table lists the configuration properties related to custom models and cubes in Splunk UBA.
For more information about these properties, see Set limits for the number of custom models, cubes, measures and dimensions in Splunk UBA in the Develop Custom Content in Splunk User Behavior Analytics manual.
Property | Description | Default behavior |
---|---|---|
custom.cubes.non.deleted.max | The maximum number of custom cubes that can be created. | 6 |
custom.cubes.dimensions.max | The maximum number of dimensions allowed in a custom cube. | 6 |
custom.cubes.measures.max | The maximum number of measures allowed in a custom cube. | 3 |
custom.models.enabled.max | The maximum number of active custom models allowed. | 6 |
Start and stop Splunk UBA services from the command line | When jobs run in Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1
Feedback submitted, thanks!