Splunk® User Behavior Analytics

Develop Custom Content in Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Trigger, activate, or deactivate your custom models

For any anomalies to be generated by Splunk UBA, you must trigger or activate your custom models.

The logged in user must have the role of Content_Developer to trigger, activate, or deactivate custom models.

Trigger a custom model

Triggering a custom model makes the model run one time, immediately.

You can trigger both active and inactive models:

Triggering an inactive model does not change the inactive model to active.

  • Anomalies generated by triggering an inactive custom model remain in test mode and are not factored into any computations or threat generation.
  • Anomalies generated by triggering an active custom model are made available to all Splunk UBA components.

Perform the following tasks to trigger a custom model:

  1. In Splunk UBA, go to System > Models.
  2. Select Custom Models.
  3. Hover over the model you want to trigger, and from the hamburger menu select the edit icon and select Trigger.
  4. Click OK to confirm that you want to trigger the model.

Activate a custom model

Perform the following tasks to activate a custom model:

  1. In Splunk UBA, go to System > Models.
  2. Select Custom Models.
  3. Hover over the model you want to activate, and from the hamburger menu select the edit icon and select Activate.
  4. Select what you want to do with the anomalies raised by this model while the model was also in test mode:
    • Select Keep anomalies in Test Mode to leave the test mode anomalies in the system. Test mode anomalies are not be used in any threat computations and are not available to Splunk UBA components.
    • Select Delete anomalies to permanently delete the test mode anomalies from the system.
    • Select Move anomalies to Active Mode to change the anomalies from test mode to live anomalies. The anomalies are made available to all Splunk UBA components.
  5. Click OK to confirm that you want to activate the model.

Custom models run on the same schedule as the existing batch models in Splunk UBA. See When job run in Splunk UBA in Administer Splunk User Behavior Analytics.

Go to the Models page in Splunk UBA to see if your models were run:

  1. In Splunk UBA, click "System > Models'.
  2. Select Custom Models to view information about your custom models, including the last time each model was run.

Deactivate a custom model

Perform the following tasks to activate a custom model:

  1. In Splunk UBA, go to System > Models.
  2. Select Custom Models.
  3. Hover over the model you want to deactivate, and from the hamburger menu select the edit icon and select Deactivate.
  4. Select what you want to do with the anomalies raised by this model while the model was active:
    • Select Leave anomalies in active mode to leave the anomalies in the system. The anomalies remain available to all Splunk UBA components.
    • Select Permanently delete anomalies to permanently delete the anomalies from the system.
  5. Click OK to confirm that you want to deactivate the model.

A deactivated model remains in the /etc/caspida/local/conf/modelregistry/offlineworkflow/ModelRegistry.json file.

Last modified on 13 December, 2023
PREVIOUS
New custom models in test mode
  NEXT
Edit or delete custom models

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters