Integrate Splunk ES and Splunk UBA with the Splunk Add-on for Splunk UBA
Use the Splunk Add-on for Splunk UBA to integrate Splunk Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). You can integrate Splunk UBA and Splunk ES to share the following types of data:
- Send Splunk UBA anomalies and threats to Splunk ES as notable events.
- Pull notable events from Splunk ES to Splunk UBA.
- Send Splunk UBA audit events to Splunk ES.
See Viewing data from Splunk UBA in Enterprise Security in Use Splunk Enterprise Security for more information.
Use Splunk ES to close or reopen notable events in order to have the corresponding threats also be closed or reopened in Splunk UBA. Do not close or reopen threats in Splunk UBA.
For instructions on how to send events from Splunk UBA to Splunk Enterprise without using Splunk ES, see Send Splunk UBA data to Splunk Enterprise without Splunk Enterprise Security in Administer Splunk User Behavior Analytics.
Deploy the Splunk Add-on for Splunk UBA
Send Splunk UBA anomalies and threats to Splunk ES as notable events
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 22.214.171.124, 5.0.5, 126.96.36.199, 5.1.0, 188.8.131.52