Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Send Splunk UBA threats to analysts using email

Send your security analysts threats from Splunk UBA to triage using email. Perform the following steps to set up an email server as an output connector in Splunk UBA:

  1. If your email server is using a self-signed or internal root certificate, you must Import the root CA certificate so that secure connections are trusted by Splunk UBA. You do not need to do this if your email server is using a certificate from a trusted certificate authority (CA) such as VeriSign or Thawte.
  2. Set up the email server as an output connector.

Your email server must support either STARTTLS or SSL in order to send emails over secure connections. Emails will not be sent over insecure connections.

Import the root CA certificate

Perform the following steps if your email server is using a self-signed or internal root CA certificate:

  1. Copy the root CA certificate from your email server to Splunk UBA.
  2. Log in to the Splunk UBA management server as the caspida user.
  3. Import the root CA certificate to the Java certificate store. For example, if you copied the root CA from your email server as cacert.pem:
    sudo keytool -import -alias "splunk smtp" -keystore /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts -file ~/cacert.pem

    If your JDK is not installed in /usr/lib/jvm/java-1.8.0-openjdk-amd64, perform the following steps to import the root CA certificate:

    1. Ensure that $JAVA_HOME is set correctly on your system. In the following examples, replace <jdk-install-dir> with the directory where the JDK is installed, such as /usr/lib/jvm/java-1.8.0-openjdk-amd64.
      • To set the $JAVA_HOME in Korn and Bash shells:
        export JAVA_HOME=<jdk-install-dir>
        export PATH=$JAVA_HOME/bin:$PATH
        
      • To set the $JAVA_HOME in Bourne shells:
        JAVA_HOME=<jdk-install-dir>
        export JAVA_HOME
        PATH=$JAVA_HOME/bin:$PATH
        export PATH
        
      • To set the $JAVA_HOME in C shells:
        setenv JAVA_HOME <jdk-install-dir>
        setenv PATH $JAVA_HOME/bin:$PATH
        export PATH=$JAVA_HOME/bin:$PATH
        
    2. Import the root CA certificate to the Java certificate store.
      sudo keytool -import -alias "splunk smtp" -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/cacert.pem
    When prompted, type the keystore password and trust the certificate. The default keystore password is changeit.

Set up the email server as an output connector

Perform the following steps to set up an output connector for emails. You will need to provide the account name and password for the SMTP server.

  1. Select Manage > Output Connectors.
  2. Click New Output Connector.
  3. Select an output connector type of Email and click Next.
  4. Type a Name for the email server so you can identify it in Splunk UBA.
    For example, Company email server.
  5. Type Recipients for threat emails.
    For example, the email address of a triaging security analyst or analyst group, or several email addresses separated by line breaks.
  6. Type your SMTP Server host name or IP address.
  7. Type the SMTP Server Port to use to access the email server.
    You must specify port 465 for SMTPS (SMTP over SSL) or 587 for STARTTLS.
  8. Type the Account Name for the email server.
    For example, Org-SOC@yourorg.com.
  9. Type the Account Password for the email server.
  10. Select the Individual Emails check box to receive an email for each threat. Deselect the check box to receive only one email for all the threats of a certain type.
    For example, if Splunk UBA generates four threats for "Insider: Suspicious Behavior," four emails are sent if the check box is selected, but if the check box is deselected, one email is sent.
  11. Check the Auto Process check box to receive notifications immediately when a threat is generated. Deselect the check box to send threats on an ad-hoc basis using the Actions menu on the Threat Details page.
  12. Check the Mask PII checkbox to mask PII such as usernames and IP addresses in the email. This setting only applies to auto-processed emails.
  13. Click OK to save the output connector for the email system.

What to expect from the emails

Threat emails sent from Splunk UBA contain the following information.

  • A subject of [Uba threat] and the name of the threat type. For example, [Uba threat] Insider: Suspicious Behavior.
  • A link to open the threat in Splunk UBA.
  • A short description of the threat including the threat type, risk score and severity level, summary, and description of the threat.
  • The time that Splunk UBA detected the threat, and when the threat was last updated, for example, with new anomalies.
  • Recommendations for the next steps in response to the threat.
  • Names and IP addresses of users, devices, and other actors involved in the threat.
Last modified on 06 April, 2021
PREVIOUS
Send Splunk UBA data to Splunk Enterprise without Splunk Enterprise Security
  NEXT
Send threats from Splunk UBA to ServiceNow

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters