Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

Investigate and monitor domains

Investigate and monitor the domains in your network that are associated with anomalies. View details about domains on the Domain Details page.

  1. From the Splunk UBA navigation menu select Explore > Anomalies. This opens the AnomaliesTable.
  2. Open an anomaly that contains a domain name, such as a Domain Name Anomaly.
  3. Click the domain name from the list of Domains to view the domain details.

Add a domain to a Watchlist

Monitor domains in your network by adding a domain to a Watchlist.

  1. From the Domain Details page, select Watchlists.
  2. Select a Watchlist to add the domain to the Watchlist.

Different from the domain allow list and domain deny list, you can use a domain watchlist to take action on anomalies or create custom threats that take domains on a watchlist into account. Add a domain to an allow list to make sure that events associated with the domain do not create anomalies or threats. Add a domain to a deny list to make sure that events associated with the domain create anomalies or threats. However, if you want to make sure that events associated with a domain do not create anomalies of a specific type, add the domain to a domain watchlist and create an anomaly action rule.

For example, to prevent events containing the domain http://s647gfdsfgtl.example.com from creating algorithmically generated domain anomalies, but still create a malicious domain anomaly, create an anomaly action rule. See Take action on anomalies with anomaly action rules.

Review the domain information

See all the information associated to a domain.

  • Identify any threats associated with the domain, and any anomalies associated with the domain. Click a threat to open the Threats page for the domain details, or an anomaly to open the Anomalies page for the domain details.
  • See all users in the anomalies associated with this domain. Click the name of a user to open the User Information page for the user. See View user information.
  • Identify devices associated with the domain anomalies.
  • Review the participants in any associated anomalies and the relative severity of the interactions in the Domain Relations panel. Identify if there are multiple users visiting the same questionable domain.
  • Review the Domain Registrant (Whois) to see what WHOIS registration data exists for the domain.
  • Determine if the domain is associated with malware or is otherwise malicious by viewing information about the domain in VirusTotal.

Review the domain anomalies

See all anomalies associated with a domain on the domain anomalies section of the domain details.

  • Review the Domain Anomalies Timeline to see the types of anomalies associated with the domain over time.
  • Review the Domain Anomalies Trend to identify large numbers of domain anomalies over time.
  • Review the table of Domain Anomalies to see a comprehensive list of all anomalies associated with the domain.

Review the domain threats

See all threats associated with a domain on the domain threats section of the domain details.

  • Review the Domain Threats Timeline to see the types of threats associated with the domain over time.
  • Review the table of Domain Threats to see a comprehensive list of all threats associated with the domain.
Last modified on 30 November, 2023
Close threats in Splunk UBA   Investigate suspicious activity as a hunter

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters