Splunk® User Behavior Analytics

Release Notes

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Welcome to Splunk UBA 5.1.0

Splunk UBA 5.1.0 is a platform release. See About Splunk User Behavior Analytics and release types for more information about the different types of Splunk UBA releases.

If you are new to Splunk UBA, review all the steps in the Splunk UBA installation checklist before installing Splunk UBA.

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk UBA, read the following documentation before you get started:

Customers must be on UBA version 5.0.5 or 5.0.5.1 to upgrade to UBA 5.1.0. Customers on UBA 5.0.0 must first upgrade to UBA 5.0.5 and then to UBA 5.1.0. Customers on a UBA version lower than 5.0.0 must first upgrade to UBA 5.0.0 before upgrading to UBA 5.0.5 and then to UBA 5.1.0.

What's new in 5.1.0

Splunk UBA 5.1.0 includes the following features, enhancements, or changes:

On December 31, 2021, Red Hat's CentOS Linux reached End Of Life (EOL). Per Red Hat, Inc, CentOS Linux users must migrate to a new operating system to continue receiving updates, patches, and new features. Red Hat also encourages customers to migrate to RHEL. Additionally, Red Hat made the new "CentOS Stream" operating system a non-production, pre-build version of RHEL, with no long-term support model. Splunk UBA does not include CentOS Stream as a supported operating system. Customers must migrate to and adopt a supported production Linux distro of RHEL, Ubuntu, or OEL as a base OS for UBA version 5.1.0.

Feature, enhancement, or change Description
Operating System updates The 5.1.0 release provides the following operating system updates:
  • Support for RHEL versions 8.5 and 8.4 (new installations) and 8.5 (new installation and upgrades).
  • Support for Ubuntu 18.04 (new installation and upgrades). Upgrade from Ubuntu 16.04 to 18.04 for the AMI.
  • End of support for CentOS. CentOS version 8 is end of life. The Linux community recommends CentOS customers migrate to RHEL 8. See, https://www.centos.org/centos-linux-eol/.
  • No longer publishing an OVA for VMware platforms. Will continue to release UBA as an AMI for AWS.

The 5.1.0 AMI package will be available shortly after GA for AWS environments.

See Operating system requirements in Install and Upgrade Splunk User Behavior Analytics manual.

OEL OS updates OEL Leapp updated its base operating system to OEL version 8.7. OEL 8.7 support will be available with Splunk UBA version 5.2.0, but is not supported for version 5.1.0. Splunk UBA 5.2.0 is planned for release in early 2023. If you are a Splunk UBA customer using OEL, refrain from upgrading OEL until you upgrade to Splunk UBA version 5.2.0.

Support for OEL 8.6 is available for new installations.

Splunk 9.0 certification You can now use Splunk UBA with Splunk Enterprise version 9.0. See, Splunk UBA product compatibility matrix.
Support of air gap installation Version 5.1.0 supports air gap installation.

The UBA package, and upgrades or security patches for the OS require internet access.

Improved display of threats and anomalies tables You can now see and search on the employeeid field in users, threats, and anomalies tables.
Ability to delay UBA processing on a per-data source basis You can now specify lag or data ingest delay by data source. For example, if you know that a data source is always 60 minutes behind, you can specify a per-data source delay within UBA, and perform searching one hour behind.
JavaScript library update Version 5.1.0 supports jQuery 3.6.0.
MaxMind database update The MaxMind location database is updated for accurate mapping of IP addresses to geographic locations.
Library updates impact to custom ML model outcomes Updates to the libraries that security content depends on might impact custom-built ML model outcomes. Custom Spark-based analytic content in a UBA deployment might no longer work as intended or have performance issues. For additional details and troubleshooting, see Security Made Stronger with Splunk User Behavior Analytics (UBA) Version 5.1.
Deprecated data source types The Netcat and Syslog data sources in UBA have been deprecated due to one underlying platform update. These two options are removed from the data source UI and any existing data sources using these two types are turned off. You must replace the Netcat and Syslog data sources with direct data sources for Netcat and Syslog.
Deprecated support for Splunk UBA SDK Splunk UBA SDK is not compatible with UBA version 5.1.0.
Removal of a threat model The "Hypergraph based Malware Threat Detection Model" is disabled in UBA version 5.1.0 due to a discovered performance issue. A fix is planned for a future release.
End of updates to the out-of-the-box popular domain list Service provider Alexa is end of life.

Splunk UBA external dependencies

You can download a PDF file listing the external dependencies required to install Splunk UBA:

Do not independently upgrade the following UBA-dependent components to avoid impacting UBA operations:

  • docker
  • hadoop
  • hive
  • impala
  • influxdb
  • kafka
  • kubernetes
  • nodejs
  • openjdk
  • postgresql
  • protobuf
  • redis
  • spark
  • zookeeper
Last modified on 23 August, 2023
  Known issues in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters