What is the custom use case framework?
Use the custom use case framework in Splunk UBA to create custom data cubes and models and deploy additional use cases not already covered by Splunk UBA's streaming and batch models. Content developers such as security research teams, security experts or professional services members can leverage the functionality of existing time series or rare events models by cloning the models to build a custom use case without writing code or defining algorithms.
Only users with the Content_Developer role have permission to create content in Splunk UBA. See Manage user accounts and account roles in Splunk UBA in Administer Splunk User Behavior Analytics.
Clone existing models or create new models in Splunk UBA
You can clone or create new batch (offline) models in Splunk UBA. You can clone or create the following types of batch models:
- Rare events models, which generate content in Splunk UBA such as anomalies by detecting unusual, rare, or first time activity. See Create a custom rare events model by cloning an existing model.
- Time series models, which generate content in Splunk UBA such as anomalies by tracking specific activities over a period of time. See Create a custom time series model by cloning an existing model.
When a custom model is created, it remains in test mode until it is activated. Any anomalies generated by a model in test mode also remain in test mode so as to not interfere with ongoing day-to-day operations in Splunk UBA such as threat computations or investigations. When a model is activated, you can delete, ignore, or migrate the test mode anomalies to the production system, thereby making them available to all of Splunk UBA's components.
See Trigger or activate your custom models.
Create new cubes for data aggregation in Splunk UBA
The custom use case framework also provides the ability to create new data cubes. A data cube is a table of aggregated event data used by models to generate content in Splunk UBA. Cubes consist of dimensions and measures:
- A dimension is a string value from a specific field in an event, such as the user ID.
- A measure is a mathematical calculation based on a dimension, such as the total number of users.
See Understanding Splunk UBA data cubes.
Set limits for the number of custom models, cubes, measures, and dimensions in Splunk UBA
By default, you can create a maximum of four custom cubes in Splunk UBA, and each cube can have a maximum of six dimensions and three measures. If you want to create additional cubes, you must delete one of the existing custom cubes before you are able create another.
There is no limit to the number of custom models you can create, but you can only activate a maximum of six models at a time. If there are already six active custom models, you must deactivate one custom model before you can activate another.
To customize the number of active custom models and cubes allowed, along with the number of dimensions and measures allowed in each cube, perform the following tasks:
- Log in to the management node in your Splunk UBA deployment as the caspida user.
- Edit the
/etc/caspida/local/conf/uba-site.properties
file, then add and configure the properties in the table as desired:Property Description Default Value custom.cubes.non.deleted.max The maximum number of custom cubes that can be created. 6 custom.cubes.dimensions.max The maximum number of dimensions allowed in a custom cube. 6 custom.cubes.measures.max The maximum number of measures allowed in a custom cube. 3 custom.models.enabled.max The maximum number of active custom models allowed. 6 - Run the following command to synchronize the configuration change across all nodes in the cluster:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
Understanding Splunk UBA data cubes |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!