Integrate Splunk ES and Splunk UBA with the Splunk Add-on for Splunk UBA
Use the Splunk Add-on for Splunk UBA to integrate Splunk Enterprise Security (ES) and Splunk User Behavior Analytics (UBA).
The Splunk Add-on for UBA is not available for download on Splunkbase. The add-on is installed by default with Splunk Enterprise Security (ES). See How do I obtain the Splunk Add-on for Splunk UBA?
You can integrate Splunk UBA and Splunk ES to share the following types of data:
- Send Splunk UBA anomalies and threats to Splunk ES as notable events.
- Pull notable events from Splunk ES to Splunk UBA.
- Send Splunk UBA audit events to Splunk ES.
For more information, see Viewing data from Splunk UBA in Enterprise Security in Use Splunk Enterprise Security.
Use Splunk ES to close or reopen notable events in order to have the corresponding threats also be closed or reopened in Splunk UBA. Do not close or reopen threats in Splunk UBA.
For instructions on how to send events from Splunk UBA to Splunk Enterprise without using Splunk ES, see Send Splunk UBA data to Splunk Enterprise without Splunk Enterprise Security in Administer Splunk User Behavior Analytics.
Deploy the Splunk Add-on for Splunk UBA | Send Splunk UBA anomalies and threats to Splunk ES as notable events |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1
Feedback submitted, thanks!