Splunk® User Behavior Analytics

Send and Receive Data from the Splunk Platform

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Pull notable events from Splunk ES to Splunk UBA

This image summarizes the steps you need to take to configure a Splunk ES Notables or Splunk Direct data source to pull notable events from Splunk Enterprise Security (ES) to Splunk User Behavior Analytics (UBA).

This image shows the steps for how to pull notable events from Splunk ES to Splunk UBA. The steps in the image are described immediately following the image.

Perform the following tasks to set up the desired data source in Splunk UBA:

  1. In Splunk ES, Set up Splunk UBA to receive notable events from Splunk ES.
  2. In both Splunk Enterprise and Splunk UBA, Configure the Splunk platform to receive data from the Splunk UBA output connector.
  3. Set up Splunk UBA to pull notable events from Splunk ES. See Send notable events to Splunk UBA.


Pull notable events from Splunk ES

Use one of the following methods to pull notable events from Splunk ES to Splunk UBA:

Pull notable events and risk events using the Splunk ES Notables data source

Use the Splunk ES Notables data source in Splunk UBA to integrate Splunk UBA with Splunk ES. Configure Splunk UBA to connect to the Splunk ES search head. The Splunk ES Notables data source automatically ingests notable events and risk events from Splunk ES and properly maps categories from Splunk ES Content Updates. If you have custom correlation searches in Splunk ES, make sure the category field is added correctly in the correlation search.

See Filter the anomaly table in Use Splunk User Behavior Analytics to view the list of anomaly categories. The category field must match one of the listed categories. The Splunk UBA external alarm model uses these events and category mappings to generate meaningful anomalies which can subsequently raise the appropriate threats.

Notable events that are closed in Splunk ES are not ingested by Splunk UBA.

  1. In Splunk UBA, select Manage > Data Sources.
  2. Click New Data Source.
  3. In the SIEM Connectors category, click Splunk ES Notables.
  4. On the Connection screen, provide connection and authentication details to connect to Splunk Enterprise Security (ES), then click Next. The connection and authentication details are those of the Splunk ES search head and the management port. 

    The user must have permissions to access the notable events and risk indexes.

  5. On the Time Range screen, select Live and All Time, then click Next.
  6. On the Splunk Query screen, verify the SPL being used to retrieve the events and category mappings from Splunk ES, then click Next. If you need to modify the SPL, make sure NOT (source="UEBA" OR source="UBA") is included in the final SPL to exclude Splunk UBA anomalies and threats.
  7. On the Test Mode screen, click Test Mode to validate the data source before ingesting all events, then click Next. See Add data sources to Splunk UBA in test mode for more information about test mode.
  8. Click OK.

Pull notable events using Splunk Direct

Use Splunk Direct to pull notable events from Splunk ES to Splunk UBA by configuring an external alarm data source. Write a custom query to handle the necessary data enrichment such as mapping the alarm category or severity.

  1. In Splunk ES, confirm that you get the desired notable events from the following query. The query analyzes notable events on Splunk ES that are not generated from Splunk UBA data sources and performs the proper mappings for the External Alarm category on Splunk UBA.

    You will need this query in the following steps.

    `notable` | search NOT (source="*UEBA*" OR source="*UBA*") | eval action=IF(action="deferred" OR action="blocked","blocked","allowed") | eval tag="attack,network,communicate", app='Authentication.app', dest_zone='dest_pci_domain', src_host='src_nt_host', src_zone='src_pci_domain' | eval severity="Critical",evcls=coalesce(signature,savedsearch_name,search_name) | eval signature=IF(isnull(signature),evcls,signature) | eval alarmCategories=CASE( like(lower(evcls),"%application%") OR like(lower(evcls),"%vulnerability%"),"ProductAttack", like(lower(evcls),"%intrusion%"),"SystemAttack", like(lower(evcls),"%data%loss%") OR like(lower(evcls),"%dlp%") OR like(lower(evcls),"%dlp%") OR like(lower(evcls),"%exfil%"),"Exfiltration", like(lower(evcls),"%malware%") OR like(lower(evcls),"%virus%") OR like(lower(evcls),"%botnet%") OR like(lower(evcls),"%backdoor%") OR like(lower(evcls),"%trojan%"),"MalwarePersistence", like(lower(evcls),"%malware%_operations") OR like(lower(evcls),"%cnc%") OR like(lower(evcls),"%callback%"),"MalwareActivity", like(lower(evcls),"%spam%") OR like(lower(evcls),"%phish%"),"MalwareInstall",1=1,"PolicyViolation") | eval user=IF(isnull(user) AND like(dest,"%@%"),dest,user), dest_ip=coalesce(dest_ip,'values(dest)'),eventtype=evcls, user=IF(like(user,"%wireless%"),"",user), src_ip=IF(isnull(src_ip) AND NOT like(src,"%@%"), src,src_ip), dest_ip=IF( like(dest_ip,"%@%"),'',dest_ip) | makemv delim="," tag | makemv delim=" " dest_ip | mvexpand dest_ip | fields action,alarmCategories,app,category,dest_host,dest_ip,dest_nt_domain, dest_zone,duration,eventtype,file_name,file_path,severity,signature, sourcetype,src_host,src_ip,src_zone,tag,url,user

  2. In Splunk UBA, select Manage > Data Sources.
  3. Click New Data Source.
  4. In the SIEM Connectors category, click Splunk ES Notables.
  5. On the Connection screen, provide connection and authentication details to connect to Splunk Enterprise Security (ES), then click Next. The connection and authentication details are those of the Splunk ES search head and the management port.

    The user must have permissions to access the notable events and risk indexes.

  6. On the Time Range screen, select Live and All Time, then click Next.
  7. On the Splunk Query screen, verify the SPL being used to retrieve the events and category mappings from Splunk ES, then click Next. If you need to modify the SPL, make sure NOT (source="UEBA" OR source="UBA") is included in the final SPL to exclude Splunk UBA anomalies and threats.
  8. On the Data Format page, select External Alarm as the field category. Keep the default values in the Splunk Field column.
  9. Enter the query that you verified at the beginning of this procedure again.
  10. Make sure Test Mode is not selected, and then click OK.
Last modified on 09 November, 2022
PREVIOUS
Send Splunk UBA anomalies and threats to Splunk ES as notable events
  NEXT
Set up Splunk UBA to send user and device association data to Splunk ES

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 5.1.0.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters