New custom models in test mode
New custom models get created in test mode. After you have created a custom model, you can trigger the model to make it run one time, or change the model to active mode which makes it available to Splunk UBA components. See Trigger, activate, or deactivate your custom models.
Only users with the role of Content_Developer can view test mode anomalies.
The anomalies generated by models in test mode are also in test mode. Anomalies generated in test mode can only be viewed by users with content developer privileges, and are not made available to any Splunk UBA components.
Test mode anomalies have the following restrictions:
- Test mode anomalies are not counted towards the total number of anomalies in Splunk UBA.
- Test mode anomalies may be included in a threat, but do not factor into the threat's score or if the threat is generated. A threat and its score are only affected by live anomalies in the system.
- Test mode anomalies are not sent to Splunk Enterprise Security (ES). Threats sent to Splunk ES as notable events do not contain references to test mode anomalies.
Anomalies generated by active mode models behave and are used by Splunk UBA in the same manner as anomalies generated by existing live streaming or batch models.
View test mode anomalies
Perform the following tasks to view test mode anomalies:
- In Splunk UBA, click Anomalies on the home page, or select Explore > Anomalies.
- Select Actions > View Test Mode Anomalies.
| Create a custom time series model by cloning an existing model | Trigger, activate, or deactivate your custom models |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Download manual
Feedback submitted, thanks!