Trigger, activate, or deactivate your custom models
For any anomalies to be generated by Splunk UBA, you must trigger or activate your custom models.
The logged in user must have the role of Content_Developer to trigger, activate, or deactivate custom models.
Trigger a custom model
Triggering a custom model makes the model run one time, immediately.
You can trigger both active and inactive models:
Triggering an inactive model does not change the inactive model to active.
- Anomalies generated by triggering an inactive custom model remain in test mode and are not factored into any computations or threat generation.
- Anomalies generated by triggering an active custom model are made available to all Splunk UBA components.
Perform the following tasks to trigger a custom model:
- In Splunk UBA, go to System > Models.
- Select Custom Models.
- Hover over the model you want to trigger, and from the hamburger menu select the edit icon and select Trigger.
- Click OK to confirm that you want to trigger the model.
Activate a custom model
Perform the following tasks to activate a custom model:
- In Splunk UBA, go to System > Models.
- Select Custom Models.
- Hover over the model you want to activate, and from the hamburger menu select the edit icon and select Activate.
- Select what you want to do with the anomalies raised by this model while the model was also in test mode:
- Select Keep anomalies in Test Mode to leave the test mode anomalies in the system. Test mode anomalies are not be used in any threat computations and are not available to Splunk UBA components.
- Select Delete anomalies to permanently delete the test mode anomalies from the system.
- Select Move anomalies to Active Mode to change the anomalies from test mode to live anomalies. The anomalies are made available to all Splunk UBA components.
- Click OK to confirm that you want to activate the model.
Custom models run on the same schedule as the existing batch models in Splunk UBA. See When job run in Splunk UBA in Administer Splunk User Behavior Analytics.
Go to the Models page in Splunk UBA to see if your models were run:
- In Splunk UBA, click "System > Models'.
- Select Custom Models to view information about your custom models, including the last time each model was run.
Deactivate a custom model
Perform the following tasks to activate a custom model:
- In Splunk UBA, go to System > Models.
- Select Custom Models.
- Hover over the model you want to deactivate, and from the hamburger menu select the edit icon and select Deactivate.
- Select what you want to do with the anomalies raised by this model while the model was active:
- Select Leave anomalies in active mode to leave the anomalies in the system. The anomalies remain available to all Splunk UBA components.
- Select Permanently delete anomalies to permanently delete the anomalies from the system.
- Click OK to confirm that you want to deactivate the model.
A deactivated model remains in the /etc/caspida/local/conf/modelregistry/offlineworkflow/ModelRegistry.json
file.
New custom models in test mode | Edit or delete custom models |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!