Splunk® User Behavior Analytics

Develop Custom Content in Splunk User Behavior Analytics

Edit anomaly scoring rules

Custom anomaly scoring is performed in the following ways:

  • New anomalies created by cloning an existing model inherit the base score from the parent or source model.
  • New anomalies created without cloning any existing models have a default base score of 6.

After new anomalies are created in Splunk UBA, you can edit the scoring rules for your custom anomalies. Admin privileges are required to edit anomaly scoring rules.

Perform the following tasks to customize the anomaly scoring rules for anomalies generated by your custom models:

  1. If you are logged in to Splunk UBA as a user with Content_Developer privileges, log out of Splunk UBA.
  2. Log in to Splunk UBA as a user with Admin privileges.
  3. To customize the scoring rules for the anomalies generated by your custom models, follow the instructions in Customize anomaly scoring rules in Administer Splunk User Behavior Analytics.
Last modified on 12 December, 2023
Edit or delete custom models   Example: Create a new custom badge access model

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters