Requirements for using the Splunk Add-on for Splunk UBA

Before integrating Splunk User Behavior Analytics (UBA) with Splunk Enterprise or Splunk Enterprise Security (ES), meet these requirements:

• Verify that you are using compatible versions of Splunk UBA, Splunk Enterprise, and Splunk ES. See Compatible software versions.
• Verify that you have properly configured Splunk UBA, Splunk Enterprise, and Splunk ES for integration. See Splunk Enterprise and Splunk ES requirements.
• Verify that you have properly configured authentication for Splunk ES users to access Splunk UBA. See Configure authentication between Splunk UBA and Splunk ES.

Splunk Cloud customers must contact Splunk Support to fully integrate with Splunk UBA. The Splunk Cloud sc_admin role cannot perform Splunk UBA setup.

Compatible software versions

Verify the version compatibility among the products in the table.

See the Splunk products version compatibility matrix in the Splunk Products Version Compatibility Matrix manual for more information about compatibility among Splunk products.

Splunk Enterprise and Splunk ES requirements

Meet the following requirements to integrate Splunk UBA with Splunk Enterprise and Splunk ES.

• Verify that you have a Splunk Enterprise user account that meets all the requirements listed in Requirements for the Splunk Enterprise user account in the Install and Upgrade Splunk User Behavior Analytics manual.
• Verify that the Splunk Add-on for Splunk UBA is installed and enabled on your search head with the ueba index deployed to your indexers. See Deploy the Splunk Add-on for Splunk UBA.
• Verify that the name of the Splunk UBA server is specified correctly in Splunk ES. The name of the Splunk UBA server that you specified when running the /opt/caspida/bin/Caspida setup command during Splunk UBA installation must match the value stored in the uiServer.host property in the /etc/caspida/local/conf/uba-site.properties file in Splunk UBA. The name of the Splunk UBA server that was specified during setup is stored in the /opt/caspida/conf/deployment/caspida-deployment.conf file.
  • If you specified a Splunk UBA host name such as ubahost1 during setup, make sure that uiServer.host is set to the same host name.
  • If you specified an IP address such as 10.11.12.1 during setup, make sure that uiServer.host is set to the same IP address.
• Configure an output connector on Splunk UBA to send anomalies and threats from Splunk UBA to Splunk ES. During this configuration, you must provide a username and password for a Splunk ES account with at least the permissions granted by the ess_analyst role with edit_reviewstatuses capability so that Splunk UBA is fully authorized for this integration. This privilege level is required so that Splunk UBA can access the Splunk ES APIs and make changes to the status of notable events. See Add an output connector in Splunk UBA.

Configure authentication between Splunk UBA and Splunk ES

Starting with release 6.1.0, Splunk ES can use a local user account to integrate with Splunk UBA. To perform the integration, meet the following requirements:

• In Splunk UBA, configure an account with the name of ubaesuser and the role of User. See Add a local user account in the Administer Splunk User Behavior Analytics manual.
• In Splunk ES, create the matching credentials. See Add a new credential for UBA input in the Splunk Enterprise Security Administer Splunk Enterprise Security manual.

If you are using a Splunk ES release earlier than 6.1.0, configure Splunk authentication in Splunk UBA to integrate Splunk UBA and Splunk ES. See Configure Splunk authentication using Splunk UBA in the Administer Splunk User Behavior Analytics manual.