Splunk® User Behavior Analytics

Plan and Scale your Splunk UBA Deployment

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

About Splunk User Behavior Analytics

Splunk User Behavior Analytics (UBA) uses behavior modeling, peer-group analysis, and machine learning to uncover hidden threats in your environment. Splunk UBA automatically detects anomalous behavior from users, devices, and applications, combining those patterns into specific, actionable threats.

Investigate and respond to detected threats using a streamlined threat review workflow that provides visibility into anomalous activity and supporting evidence. Splunk UBA increases the effectiveness of your security analysts by helping them focus on threats and malicious activities with kill chain and geographical visualizations.

How does Splunk UBA work?

Splunk UBA ingests data from the Splunk platform, which includes Splunk Enterprise and Splunk Cloud Platform, and does the following to help you understand what users are doing in your environment. Splunk UBA generates threats by performing the following tasks:

  1. Normalize device and domain names, and associate all accounts identified in your HR data with a single human user.
  2. Perform identity resolution to find the real-time association between IP addresses, host names, and users, and also maintain these associations over time.
  3. Baseline the behavior of the users, devices, and apps in your environment across organizational units and peer groups.
  4. Use unsupervised machine learning algorithms to analyze the data for activity deviating from normal behavior. Splunk UBA uses anomaly detection rules and models to distill millions of events to a few hundred anomalies.
  5. Use threat rules and models to further distill anomalies down to a handful of threats. A single anomaly might not represent a legitimate threat in your environment. Over time, however, a series of anomalies can tell a story about a threat that must be investigated. Threat detection models can stitch together anomalies to provide an end-to-end story about a high-fidelity threat.

See Understand data flow in Splunk UBA in the Get Data into Splunk User Behavior Analytics manual for more details about how data moves through Splunk UBA.

How does Splunk UBA work with other Splunk security products?

Splunk UBA gets its data from the Splunk platform. Unlike many Splunk security products which are apps installed on the Splunk platform, Splunk UBA must be installed on dedicated resources in the form of physical, on-premise servers or servers in your organization's managed cloud deployment. See System requirements for Splunk UBA in Install and Upgrade Splunk User Behavior Analytics.

This diagram shows how Splunk UBA fits in with other Splunk security products. There is a large box labeled Splunk Enterprise or Splunk Cloud Platform, with Splunk Enterprise Security, Splunk Security Essentials, and Splunk machine Learning Toolkit as apps within the large box. Splunk Phantom and Splunk UBA are outside the box, since they each require their own hardware stack and are not installed as apps on the Splunk platform.

Integrate Splunk UBA with the Splunk platform to perform the following tasks:

  • When viewing anomaly details in Splunk UBA, you can return to Splunk Enterprise or Splunk Cloud Platform to view some of the raw events contributing to the anomaly raised in Splunk UBA. See Use event drilldown to review an anomaly's raw events in the Use Splunk User Behavior Analytics manual.
  • Send notable events from Splunk Enterprise Security (ES) to Splunk UBA or send anomalies and threats from Splunk UBA to Splunk ES. The status of any notable events in Splunk ES and anomalies and threats in Splunk UBA that are shared between systems are synchronized to provide consistency and continuity in your investigations. This integration requires the Splunk Add-On for Splunk UBA. See About the Splunk add-on for Splunk UBA in the Send and Receive Data from the Splunk Platform manual.

See also

For more information about the other products in the Splunk security portfolio, see the product documentation.

You want to do this Documentation
Use Splunk Enterprise and Splunk Cloud Platform to aggregate logs and perform human-based analysis of rules, statistics, and correlation, as well as perform ad-hoc searches and pivots. See:
Start your security journey with Splunk Security Essentials to find the best content available in your environment and determine which solutions are the most effective. See What's new in Splunk Security Essentials in the Splunk Security Essentials Release Notes.
Use Splunk ES to orchestrate investigations, detections, and respond to security threats. Splunk ES includes the Splunk Add-on for Splunk UBA which indexes data sent from Splunk UBA to the Splunk platform and allows you to send data from the Splunk platform to Splunk UBA. See:
The Splunk Machine Learning Toolkit (MLTK) provides packaged Splunk Search Processing Language (SPL) search commands, macros, and visualizations. Use the MLTK to build custom machine learning solutions for any use case. See About the Machine Learning Toolkit in the User Guide.
Use Splunk SOAR (On-premises), formerly Splunk Phantom, to automate your security workflow. See About Splunk SOAR (On-premises) in Use Splunk SOAR (On-premises).
Last modified on 08 October, 2021
Splunk UBA deployment architecture

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.5,, 5.1.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters