Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Manage Splunk UBA configuration properties in the uba-site.properties file

Configure Splunk UBA using the properties in the /etc/caspida/local/conf/uba-site.properties file. Customizations made in this file are not modified during any upgrade procedures. See How to set configuration properties in Splunk UBA.

Configure Splunk UBA properties for the following product areas:

In the tables in each section, the values in the Default behavior column indicate the default Splunk UBA behavior when a configuration property is not set.

How to set configuration properties in Splunk UBA

A file called /opt/caspida/conf/uba-default.properties is used by Splunk UBA to manage many of the processes and micro-services required to operate Splunk UBA. To edit any of these default properties, or to add new properties, copy this file to /etc/caspida/local/conf/uba-site.properties file. Only edit the uba-site.properties file when changes are required. The /etc/caspida/local/conf directory is not affected by any upgrade scripts so configuration changes in this location can persist across product upgrades.

Perform the following steps to edit the /etc/caspida/local/conf/uba-site.properties and have the changes take effect:

  1. Log in to the Splunk UBA management node as the caspida user.
  2. Edit the /etc/caspida/local/conf/uba-site.properties file and add or edit the desired property and value.
  3. Save and exit the file.
  4. Synchronize the configuration changes across the cluster: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  5. Stop and restart Caspida. 
    /opt/caspida/bin/Caspida stop
/opt/caspida/bin/Caspida start

Splunk UBA environment properties

This table lists the configuration properties affecting your Splunk UBA setup.

Property Description Default behavior
system.docker.networkcidr Use this property to customize the IP addresses of your Docker containers to avoid conflicts in your network.


See Change the IP address of your Docker containers.

Not set.
ui.idleTimeout Use this property to change or disable the timeout value for the Splunk UBA web interface.


See Disable the Splunk UBA web interface timeout.

30 minutes
Health monitor indicators Many health monitor indicators have configurable properties that allow you change the threshold at which a warning or error is generated.


See Health Monitor status code reference.

Varies.

Splunk UBA and Splunk Enterprise Security integration properties

This table lists the configuration properties for Splunk UBA and Splunk Enterprise Security (ES) integration.

Property Description Default behavior
uba.splunkes.integration.enabled Define whether or not Splunk UBA integration with Splunk ES is enabled.


See Send Splunk UBA anomalies and threats to Splunk Enterprise Security as notable events in the Send and Receive Data from the Splunk Platform manual.

true
uba.splunkes.retry.delay.minutes Configure how often Splunk UBA sends threats to Splunk ES.


See How threats and notables are synchronized in the Send and Receive Data from the Splunk Platform manual.

5 minutes
uiServer.host The name of the Splunk UBA server specified when running the /opt/caspida/bin/Caspida setup command during Splunk UBA installation must match the value stored in the uiServer.host property in the /etc/caspida/local/conf/uba-site.properties file in Splunk UBA.


See Splunk Enterprise and Splunk ES requirements in the Send and Receive Data from the Splunk Platform manual.

N/A
uba.sys.audit.push.splunk.enabled Set this property to true to enable Splunk UBA audit events to be sent to Splunk ES.


See Send audit events to Splunk ES in the Send and Receive Data from the Splunk Platform manual.

Not set.
identity.resolution.export.enabled Set this property to true to send user and device association data from Splunk UBA to Splunk ES. User and device association data from Splunk UBA is visible on the Session Center dashboard in Splunk ES.


See Set up Splunk UBA to send user and device association data to Splunk ES in the Send and Receive Data from the Splunk Platform manual.

true

Event drilldown properties

This table lists the configuration properties for using event drilldown in Splunk UBA.

Property Description Default behavior
triggering.event.pre.calculate.links.anomaly.threshold Adjust the anomaly score threshold for caching the SPL to retrieve contributing anomalies.

See Splunk UBA caches the SPL for important anomalies in Use Splunk User Behavior Analytics.

8
triggering.event.timeout.millis Timeout value for the SPL in retrieving an anomaly's contributing events.


See Configure properties to increase the timeout interval in Use Splunk User Behavior Analytics.

300000
triggering.event.enable.reverse.ir Whether or not to enable reverse IR.


See Configure properties to increase the timeout interval in Use Splunk User Behavior Analytics.

false
triggering.event.search.backend.submission Submit the generated SPL to the Splunk platform using same credentials as the one used to create the data source.


See Working with long URLs in Use Splunk User Behavior Analytics.

true

Raw event data ingestion properties

This table lists the configuration properties for Splunk UBA to ingest raw events from the Splunk platform.

Property Description Default behavior
splunk.live.micro.batching Splunk UBA ingests data from the Splunk platform by performing micro batch queries.


See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.

true
splunk.live.micro.batching.delay.seconds Define the point in time where Splunk UBA begins data ingestion.


See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.

180
splunk.live.micro.batching.interval.seconds The length of time for each micro batch query.


See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.

60 seconds
connector.splunk.max.backtrace.time.in.hour The window of time that determines when to begin data ingestion, especially after a data source is stopped and then restarted.


See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.

4 hours
parser.global.input_timezone Set the time zone you want to use when ingesting events, in particular for file-based data sources.


See Add file-based data sources to Splunk UBA in Get Data into Splunk User Behavior Analytics.

UTC

Asset and identity data ingestion properties

This table lists the configuration properties for Splunk UBA to ingest asset and identity data.

Property Description Default behavior
attribution.keyvalue.delimiter The delimiter to use when ingesting assets data with multi-values fields.


See Configure asset ingestion for multi-valued fields in Get Data into Splunk User Behavior Analytics.

Comma (,)
assets.proxy.query.adformat Specify whether Splunk UBA should use MULTILINE or XML format when querying Windows Security Event logs for proxy servers.


See Perform asset identification by using the Splunk Assets data source in Get Data into Splunk User Behavior Analytics.

MULTILINE
identity.resolution.blacklist.threshold.device.hostnamecount To help Splunk UBA identify multi-user systems, data from last 24 hours is analyzed to find occurrences of more than 2 device mappings per hour for more than 6 hours. Edit this property to change the number of device mappings.


See View IDR exclusion lists in Splunk UBA in Get Data into Splunk User Behavior Analytics.

2
identity.resolution.blacklist.threshold.device.hostnamehours To help Splunk UBA identify multi-user systems, data from last 24 hours is analyzed to find occurrences of more than 2 device mappings per hour for more than 6 hours. Edit this property to change the number of consecutive hours.


See View IDR exclusion lists in Splunk UBA in Get Data into Splunk User Behavior Analytics.

6
identity.resolution.hrcache.capacity Set the value of this property to three times the number of HR accounts being monitored by Splunk UBA to avoid potential performance issues.


See Set the HR data cache capacity in the Get Data into Splunk User Behavior Analytics manual.

300,000

Kafka data ingestion properties

This table lists the configuration properties related to anomalies and threats in Splunk UBA.

For additional documentation about these properties, see Configure Kafka data ingestion in the Splunk UBA Kafka Ingestion App manual.

Property Description Default behavior
splunk.kafka.ingestion.search.delay.seconds The point in time where Splunk UBA begins Kafka ingestion. 180 seconds
splunk.kafka.ingestion.search.interval.seconds The length of the time in seconds for each batch query. 60 seconds
splunk.kafka.ingestion.search.max.lag.seconds The maximum, lag, or amount of time between the end time of the most recent batch query and the time Kafka ingestion starts. 3600 seconds

Anomaly and threat properties

This table lists the configuration properties related to anomalies and threats in Splunk UBA.

Property Description Default behavior
entity.score.lookbackWindowMonths Entity scoring is based on anomalies and threats from the past 2 months. Configure this property to change the time window.


See Filter the scope of anomalies and threats in Use Splunk User Behavior Analytics.

2 months
persistence.anomalies.trashed.maintain.days Splunk UBA purges anomalies more than 90 days old. Configure the property to change this value.


See Splunk UBA cleans up old anomalies in the trash in User Splunk User Behavior Analytics.

90 days
persistance.anomalies.trashed.del.limit Splunk UBA removes batches of 300,000 anomalies when purging old anomalies. Configure the property to change the batch size.


See Splunk UBA cleans up old anomalies in the trash in User Splunk User Behavior Analytics.

300,000
rule.engine.process.timeout.min The number of minutes allowed for a threat rule to run and complete before it times out.


See Manage the number of threats and anomalies in your environment in User Splunk User Behavior Analytics.

60

Automated incremental backup and restore properties

This table lists the configuration properties related to automated incremental backup and restore in Splunk UBA.

For additional documentation about these properties, see Configure automated incremental backups in Splunk UBA.

Property Description Default behavior
backup.filesystem.full.interval The frequency with which Splunk UBA performs an automated full backup without stopping Splunk UBA. 1 week
backup.filesystem.enabled Set this property to designate whether or not automated backups are enabled on the system. true
backup.filesystem.directory Set this property to designate the location where the automated backups are stored. /backup

Warm standby properties

This table lists the configuration properties related to warm standby in Splunk UBA.

For more information about these properties, see Set up the standby Splunk UBA system.

Property Description Default behavior
replication.enabled Set this property to enable the primary system to synchronize with the standby system. Not set
replication.primary.host Specify the management node of the primary Splunk UBA cluster. Not set
replication.standby.host Specify the management node of the standby Splunk UBA cluster. Not set

Custom content properties

This table lists the configuration properties related to custom models and cubes in Splunk UBA.

For more information about these properties, see Set limits for the number of custom models, cubes, measures and dimensions in Splunk UBA in the Develop Custom Content in Splunk User Behavior Analytics manual.

Property Description Default behavior
custom.cubes.non.deleted.max The maximum number of custom cubes that can be created. 6
custom.cubes.dimensions.max The maximum number of dimensions allowed in a custom cube. 6
custom.cubes.measures.max The maximum number of measures allowed in a custom cube. 3
custom.models.enabled.max The maximum number of active custom models allowed. 6
Last modified on 01 September, 2021
Start and stop Splunk UBA services from the command line   When jobs run in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters