Splunk® User Behavior Analytics

Develop Custom Content in Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Create a custom rare events model by cloning an existing model

Cloning an existing model is the best way to get started when creating a custom model of your own. As you navigate your way through the Splunk UBA web interface, the fields are pre-populated using the parameters of the existing model. You only need to edit the fields you want to customize.

Perform the following steps to create a custom rare events model by cloning an existing rare events model:

  1. In Splunk UBA, select System > Models.
  2. Select Custom Models.
  3. Select New Custom Model.
  4. Select a model type. See Select a model type.
  5. Review the cube and attributes. See Review the cube and attributes.
  6. Select the tracking features. See Select and configure the tracking features.
  7. Configure the model attributes. See Configure the model attributes.
  8. Configure the model parameters. See Configure the model parameters.
  9. Configure the anomaly attributes. See Configure the anomaly attributes.
  10. Customize the anomaly fields. See Configure the anomaly fields.
  11. Click OK.

Select a model type

Select the type of model form which you want to create a clone:

  1. Select the Rare Events Model type.
  2. Click Clone from existing model and select a model from the drop-down list.
  3. Click Next.

Review the cube and attributes

The cube that is currently used by the model appears in the Cube field. The cloned cube uses the same cube as the original model. You can't change the cube in your cloned model.

Review the view type and attributes being used by the cube.

Click Next when you are ready to proceed.

Select and configure the tracking features

Select the desired tracking features. These are the attributes from the cube that are being used by the model:

  1. Select the tracking features.
    Field Description
    Field and Conditional The name of the attribute from the view that is being used by the model. Create a filter by specifying a condition. For example, if you select processPath with a processName condition, only processPath events that also have a processName are considered.
    Columns for Evidence The names of other columns for which Splunk UBA can show values as part of supporting evidence.
    Participants The entities that you want represented when an anomaly is raised. An anomaly must have at least one participant.
  2. Click Next.
  3. Customize the display names for the selected features. For example, you may want processPath to be displayed as Process Path.
  4. Click Next.

Configure the model attributes

The attributes that are currently in use by the model appear on this page. Edit the fields as desired for your own model:

  1. Enter a name for the model. This is the name that is be stored in the system, such as WindowsLogs_Cloned. The model name must not exceed 25 characters.
  2. Enter a display name for the model. For example, you may want the WindowsLogs_Cloned model to be displayed as Rare Microsoft Windows Events Model Clone.
  3. Enter a description.
  4. Enter a version number in the format x.x. For example: 1.1.
  5. Click Next.

Configure the model parameters

The parameters that are currently in use by the model appear on this page. Edit the parameters as desired for your own model:

  1. Edit the model parameters.
    Parameter Description
    Rare Threshold The rarity threshold for the model. The default is 1000, meaning that 1 out of 1000 occurrences is considered rare.
    Count threshold The number of tracking features to consider for rarity. The default is 1. If you specify 3, for example, that means 3 out of all the tracking features you configured have to be considered rare (exceed the rare threshold) in order an anomaly to be raised.
    Lookback The length of time that the model will look back. By default Splunk UBA data cubes store data for 30 days. You can configure a custom cube to hold more than 30 days worth of data provided you have sufficient storage on your system. If you configure a memory that is larger than the retention period of the data cube, the model only analyzes the amount of data that is in the cube.

    The reason for setting the memory to a large value (100 months by default) is that if you want to change the lookback window after the model is already running, it is preferable to edit the cube to retain more data than to change the parameters in the model. Be sure that your system can handle the additional space requirements if you want your cubes to retain more data.

  2. Click Next.

Anomalies are not raised unless both the rare threshold and count threshold are exceeded.

Configure the anomaly attributes

The anomaly attributes that are currently in use by the model appear on this page. Edit the attributes for the anomaly you want to be generated by this model:

  1. Specify a name and description for the anomaly.
  2. Select one or more categories you want to apply to the anomaly. Splunk UBA threat models use anomaly categories to generate specific types of threats. See Filter the anomaly table by anomaly category for a listing and descriptions of anomaly categories in Splunk UBA.
  3. Click Next.

To edit the scoring properties of the anomaly, modify the anomaly scoring rules. See Customize anomaly scoring rules.

Customize the anomaly fields

Customize each anomaly field name and description. These field names and descriptions appear in Splunk UBA.

Last modified on 12 December, 2023
PREVIOUS
View, edit, delete, or restore a data cube
  NEXT
Create a custom time series model by cloning an existing model

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters