About the Splunk Add-on for Splunk UBA
The Splunk Add-on for Splunk UBA indexes data sent from Splunk User Behavior Analytics (UBA) to the Splunk platform and allows you to send data from the Splunk platform to Splunk UBA. The Splunk Add-on for Splunk UBA consists of two separate add-ons:
- The SA-UEBA add-on is installed in the
SA-UEBAdirectory and is a supporting add-on for Splunk UBA. This add-on is disabled by default. The SA-UEBA add-on has no configuration options and only needs to be enabled in your environment.
- The Splunk Add-on for UEBA is installed in the
Splunk_TA_uebadirectory and is a technology add-on for Splunk UBA. This add-on is enabled by default and has configuration options.
How do I obtain the Splunk Add-on for Splunk UBA?
The Splunk Add-on for UBA is not available for download on Splunkbase. The add-on is installed by default with Splunk Enterprise Security (ES). If you find that the Splunk Add-on for UBA is not installed, run the Splunk Enterprise Security Post-Install Configuration again and ensure that Splunk_TA_ueba is selected for installation. See Install Splunk Enterprise Security in the Splunk Enterprise Security Installation and Upgrade manual.
Functionality provided by the Splunk Add-on for Splunk UBA
In any environment with both Splunk UBA and Splunk ES, both add-ons included in the Splunk Add-on for Splunk UBA are required and both must be enabled.
The SA-UEBA add-on provides the following features and capabilities:
- Contains the
uebadata model definition for Splunk UBA threats and anomalies which provides accelerated Splunk UBA information to Splunk ES.
- Defines the
ubaeventsmacros in Splunk ES.
- Defines multiple correlation searches relating to Splunk UBA anomaly and threat detection:
- Threat - UEBA Threat Detected (Notable) – Rule
- Threat - UEBA Threat Detected (Risk) – Rule
- Threat - UEBA Anomaly Detected (Risk) – Rule
- Defines multiple key-indicator searches for populating Splunk web in Splunk ES, such as anomaly actors, anomaly signatures, anomalies per threat, and total anomalies.
- Defines the UEBA - Notable External Reference - Lookup Gen lookup generation search.
- Defines multiple swim-lane searches for populating Splunk Web in Splunk ES, such as UEBA Threats By Asset, UEBA Threats By Identity, UBA Anomalies By Asset, and UBA Anomalies By Identity.
The Splunk Add-on for UEBA provides the following features and capabilities:
- Contains the
send2ubafunction which allows saved search results to be forwarded to Splunk UBA.
- Defines the edit_uba_settings capability which is added to the ess_admin role in Splunk ES and can be assigned.
- Defines the syslog-based output for Splunk UBA data in the
- Defines multiple macros used to enrich events within Splunk ES to make them compatible with Splunk UBA.
- Defines the Event Drilldown workflow. See Use event drilldown to review an anomaly's raw events in the Use Splunk User Behavior Analytics manual.
- Contains lookups that can be referenced, such as a lookup for converting a Splunk UBA threat score into a Splunk ES urgency value.
- Enables Splunk ES to retrieve user and device association data from Splunk UBA.
See the following table for a summary of the functionality provided by SA-UEBA and the Splunk Add-on for UEBA.
|Feature||SA-UEBA||Splunk Add-on for UEBA|
|Visible?||No||Yes, this add-on contains a view for configuration.|
|Collection method||TCP||TCP port 10008|
|CIM Compliance||None||None. This data maps to the UEBA data model included with Splunk ES. See Data models used by ES in the Developer Guide for Splunk Cloud Platform and Splunk Enterprise.|
How Splunk UBA sends and receives data from the Splunk platform
Requirements for using the Splunk Add-on for Splunk UBA
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 220.127.116.11, 5.0.5, 18.104.22.168