Manage Splunk UBA configuration properties in the uba-site.properties file
Configure Splunk UBA by adding or editing properties in the
/etc/caspida/local/conf/uba-site.properties file. Customizations made in this file are not modified during any upgrade procedures.
You can configure the following product areas in Splunk UBA by adding or editing properties in the
- Splunk UBA environment properties
- Splunk UBA and Splunk Enterprise Security (ES) properties
- Event drilldown properties
- Raw event data ingestion properties
- Asset and identity data ingestion properties
- Kafka data ingestion properties
- Anomaly and threat properties
- Backup and restore properties
In the tables in each section, the values in the Default behavior column indicate the default Splunk UBA behavior when a configuration property is not set.
How to set configuration properties in Splunk UBA
A file called
/opt/caspida/conf/uba-default.properties is used by Splunk UBA to manage many of the processes and micro-services required to operate Splunk UBA. To edit any of these default properties, or to add new properties, copy this file to
/etc/caspida/local/conf/uba-site.properties file. Only edit the
uba-site.properties file when changes are required. The
/etc/caspida/local/conf directory is not affected by any upgrade scripts so configuration changes in this location can persist across product upgrades.
Perform the following steps to edit the
/etc/caspida/local/conf/uba-site.properties and have the changes take effect:
- Log in to the Splunk UBA management node as the caspida user.
- Edit the
/etc/caspida/local/conf/uba-site.propertiesfile and add or edit the desired property and value.
- Save and exit the file.
- Synchronize the configuration changes across the cluster:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
Depending on the service you are configuring, there might be additional steps required in order for the configuration property changes to take effect.
Splunk UBA environment properties
This table lists the configuration properties affecting your Splunk UBA setup.
|system.docker.networkcidr||Use this property to customize the IP addresses of your Docker containers to avoid conflicts in your network. See Change the IP address of your Docker containers.
|ui.idleTimeout||Use this property to change or disable the timeout value for the Splunk UBA web interface. See Disable the Splunk UBA web interface timeout.
||1800000 (30 minutes)|
|Health monitor indicators||Many health monitor indicators have configurable properties that allow you change the threshold at which a warning or error is generated. See Health Monitor status code reference.||Varies.|
Splunk UBA and Splunk Enterprise Security integration properties
This table lists the configuration properties for Splunk UBA and Splunk Enterprise Security (ES) integration.
|uba.splunkes.retry.delay.minutes||Configure how often Splunk UBA sends threats to Splunk ES. See How threats and notables are synchronized in the Send and Receive Data from the Splunk Platform manual.
|uiServer.host||The name of the Splunk UBA server specified when running the
|uba.sys.audit.push.splunk.enabled||Set this property to
|identity.resolution.export.enabled||Set this property to
Event drilldown properties
This table lists the configuration properties for using event drilldown in Splunk UBA.
|triggering.event.pre.calculate.links.anomaly.threshold||Adjust the anomaly score threshold for caching the SPL to retrieve contributing anomalies. See Splunk UBA caches the SPL for important anomalies in Use Splunk User Behavior Analytics.
|triggering.event.timeout.millis||Timeout value for the SPL in retrieving an anomaly's contributing events. See Configure properties to increase the timeout interval in Use Splunk User Behavior Analytics.
|triggering.event.enable.reverse.ir||Whether or not to enable reverse identity resolution (IR). See reverse IR to view contributing events Documentation:UBA:User:TriggeringEvents in Use Splunk User Behavior Analytics.
|triggering.event.search.backend.submission||Submit the generated SPL to the Splunk platform using same credentials as the one used to create the data source. See Working with long URLs in Use Splunk User Behavior Analytics.
Raw event data ingestion properties
This table lists the configuration properties for Splunk UBA to ingest raw events from the Splunk platform.
|splunk.live.micro.batching||Splunk UBA ingests data from the Splunk platform by performing micro batch queries. See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.
|splunk.live.micro.batching.delay.seconds||Define the point in time where Splunk UBA begins data ingestion. See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.
|splunk.live.micro.batching.interval.seconds||The length of time for each micro batch query. See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.
|connector.splunk.max.backtrace.time.in.hour||The window of time that determines when to begin data ingestion, especially after a data source is stopped and then restarted. See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.
|parser.global.input_timezone||Set the time zone you want to use when ingesting events, in particular for file-based data sources. See Add file-based data sources to Splunk UBA in Get Data into Splunk User Behavior Analytics.
Asset and identity data ingestion properties
This table lists the configuration properties for Splunk UBA to ingest asset and identity data.
|attribution.keyvalue.delimiter||The delimiter to use when ingesting assets data with multi-values fields. See Configure asset ingestion for multi-valued fields in Get Data into Splunk User Behavior Analytics.
|assets.proxy.query.adformat||Specify whether Splunk UBA should use MULTILINE or XML format when querying Windows Security Event logs for proxy servers. See Perform asset identification by using the Splunk Assets data source in Get Data into Splunk User Behavior Analytics.
|identity.resolution.blacklist.threshold.device.hostnamecount||To help Splunk UBA identify multi-user systems, data from last 24 hours is analyzed to find occurrences of more than 2 device mappings per hour for more than 6 hours. Edit this property to change the number of device mappings. See View IDR exclusion lists in Splunk UBA in Get Data into Splunk User Behavior Analytics.
|identity.resolution.blacklist.threshold.device.hostnamehours||To help Splunk UBA identify multi-user systems, data from last 24 hours is analyzed to find occurrences of more than 2 device mappings per hour for more than 6 hours. Edit this property to change the number of consecutive hours. See View IDR exclusion lists in Splunk UBA in Get Data into Splunk User Behavior Analytics.
|identity.resolution.hrcache.capacity||Set the value of this property to three times the number of HR accounts being monitored by Splunk UBA to avoid potential performance issues. See Set the HR data cache capacity in the Get Data into Splunk User Behavior Analytics manual.
Kafka data ingestion properties
This table lists the configuration properties related to anomalies and threats in Splunk UBA.
For additional documentation, see Configure Kafka data ingestion in the Splunk UBA Kafka Ingestion App manual.
|splunk.kafka.ingestion.search.delay.seconds||The point in time where Splunk UBA begins Kafka ingestion.
|splunk.kafka.ingestion.search.interval.seconds||The length of the time in seconds for each batch query.
|splunk.kafka.ingestion.search.max.lag.seconds||The maximum, lag, or amount of time between the end time of the most recent batch query and the time Kafka ingestion starts.
Anomaly and threat properties
This table lists the configuration properties related to anomalies and threats in Splunk UBA.
|entity.score.lookbackWindowMonths||Entity scoring is based on anomalies and threats from the past 2 months. Configure this property to change the time window. See Filter the scope of anomalies and threats in Use Splunk User Behavior Analytics.
|persistence.anomalies.trashed.maintain.days||Splunk UBA purges anomalies more than 90 days old. Configure the property to change this value. See Splunk UBA cleans up old anomalies in the trash in User Splunk User Behavior Analytics.
|persistance.anomalies.trashed.del.limit||Splunk UBA removes batches of 300,000 anomalies when purging old anomalies. Configure the property to change the batch size. See Splunk UBA cleans up old anomalies in the trash in User Splunk User Behavior Analytics.
|rule.engine.process.timeout.min||The number of minutes allowed for a threat rule to run and complete before it times out. See Manage the number of threats and anomalies in your environment in User Splunk User Behavior Analytics.
Backup and restore properties
This table lists the configuration properties related to backup and restore in Splunk UBA.
For more information about these configuration properties, see Backup and restore Splunk UBA using automated incremental backups.
|backup.filesystem.full.interval||The frequency with which Splunk UBA performs an automated full backup without stopping Splunk UBA.
|backup.filesystem.enabled||Set this property to designate whether or not automated backups are enabled on the system.
|backup.filesystem.directory||Set this property to designate the location where the automated backups are stored.
Warm standby properties
This table lists the configuration properties related to warm standby in Splunk UBA.
For more information about these properties, see Set up the standby Splunk UBA system.
|replication.enabled||Set this property to enable the primary system to synchronize with the standby system.
|replication.primary.host||Specify the management node of the primary Splunk UBA cluster.
|replication.standby.host||Specify the management node of the standby Splunk UBA cluster.
Custom content properties
This table lists the configuration properties related to custom models and cubes in Splunk UBA.
For more information about these properties, see Set limits for the number of custom models, cubes, measures and dimensions in Splunk UBA in the Develop Custom Content in Splunk User Behavior Analytics manual.
|custom.cubes.non.deleted.max||The maximum number of custom cubes that can be created.
|custom.cubes.dimensions.max||The maximum number of dimensions allowed in a custom cube.
|custom.cubes.measures.max||The maximum number of measures allowed in a custom cube.
|custom.models.enabled.max||The maximum number of active custom models allowed.
Start and stop Splunk UBA services from the command line
When jobs run in Splunk UBA
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.5, 18.104.22.168, 5.1.0, 22.214.171.124