Audit user activity in Splunk UBA
You can audit user activity in Splunk UBA by reviewing the audit logs in Splunk UBA or by sending audit logs to the Splunk platform for analysis.
User activity logged by Splunk UBA
Audit logs contain the name of the action performed, the type of the action performed, the username of the user performing the action, and the time of the action. In addition, if the action performed affects an entity such as a user or device, Splunk UBA logs the entity type, entity ID, and the URL for the affected entity details page. To see more details about an entity, search the entity ID in the table relevant to the entity type. For example, search an entity ID for a device in the Devices table.
By default, Splunk UBA retains three months of user activity audit logs.
Audit log example
For example, audit logs for the user jgonzalez downloading diagnostic data and then viewing the device details page for a device look as follows:
|Download Diagnostics||modules: All Modules
|jgonzalez||Jun 13, 2017 2:14 PM|
|View Device Details||acme-61669202||jgonzalez||Jun 13, 2017 5:33 PM|
The device name is a link to the device details page.
Types of user activity logged by Splunk UBA
Splunk UBA logs several types of activity for auditing. All actions performed by users in Splunk UBA are logged for auditing, including visits to dashboards and pages within the application.
|Activity category||Specific behavior logged|
|Access and authentication activity||User logged in or out.|
|User account created, modified, or deleted.|
|Data source changes||Data sources added, modified, or deleted.|
|HR data configuration created|
|HR data configuration reset|
|Configure an output connector.|
|Installation activity||Install a content pack.|
|Install a new or updated license file.|
|Splunk UBA user activity||Navigation and filter activity in the user table.|
|Navigation and filter activity in the device table.|
|Navigate to the Models page.|
|Navigate to the Health Monitor page.|
|Threat review activity||Add a threat to a watchlist.|
|Add a threat to an allow list.|
|Anomaly review activity||Delete or restore an anomaly.|
|Change the score of an anomaly.|
|Add or remove an anomaly from a watchlist.|
|Deny list and allow list changes||Add or remove an entry from the deny list.|
|Add or remove an entry from the allow list.|
|Custom threat rule changes||Create a custom threat rule.|
|Modify or delete a custom threat rule.|
|PII masking behavior||Mask PII in Splunk UBA.|
|Unmask PII in Splunk UBA.|
Review the audit logs in Splunk UBA
You can view the audit logs from the past three months in Splunk UBA. Select System > Audit Logs to open the audit logs.
Filter by time, action, username, or entity type to reduce the scope of the audit logs for review. For example, you can examine the activity of a specific user over a period of time, identify the users that performed a sensitive action in a period of time, locate the user that interacted with a specific threat in Splunk UBA, or show all activity for a narrow period of time.
Send audit logs to the Splunk platform for analysis
See Send Splunk UBA audit events to Splunk ES in Send and Receive Data from the Splunk Platform for complete instructions.
Collect diagnostic data from your Splunk UBA deployment
Manage the number of threats and anomalies in your environment
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 220.127.116.11, 5.0.5, 18.104.22.168