Add raw events from the Splunk platform to Splunk UBA
You can add data to Splunk UBA that is not CIM-compliant but is from a supported data source type. Perform the following steps to view the data source types supported by Splunk UBA or refer to subsequent table:
- In Splunk UBA, select Manage > Data Sources.
- Click New Data Source.
- Review the data source types on the Data Source Type page. The supported data source types that can be added to Splunk UBA are listed on this page.
Data Source Type | Specific source |
---|---|
Events Data | Events File |
User Attribution | HR File Splunk HR Data |
SIEM Connectors | Splunk Splunk ES Notables |
Cloud Services | Box Dropbox |
Device Attribution | Assets File Splunk Assets |
Hadoop | Events Files on HDFS |
Threat Data | UBA Threat Feed |
Consider mapping this data to the appropriate CIM data model, using the method described in Add CIM-compliant data to Splunk UBA from the Splunk platform.
You can add data from multiple time zones using the same method. By default, the connector.splunk.use.time
property is set to true
to allow data from multiple time zones. For more information about time zones and events in the Splunk platform, see Specify time zones for timestamps in Splunk Enterprise Getting Data In.
To add data that is not CIM-compliant or not from a supported data source type, contact Splunk Professional Services.
Add data from one source type in the Splunk platform to Splunk UBA
- In Splunk UBA, select Manage > Data Sources.
- Click New Data Source.
- Select Splunk as the data source type and click Next.
- Specify a name for the data source, such as Splunk. The data source name must be alphanumeric, with no spaces or special characters.
- Type a connection URL that matches the URL for your Splunk platform or Enterprise Security search head and management port. For example,
https://splunksearchhead.splunk.com:8089
. If you have search head clustering configured and a load balancer is available, you can specify the load balancer host name to avoid a single point failure. Ensure that port 8089 is accessible on the load balancer. - Type the user name and password for the Splunk platform account.
- Select a Connector Type of Splunk Raw Events and click Next.
- Select a time range.
- To continuously retrieve data using time-based micro batch queries, select Live and All time. See How data gets into Splunk UBA.
- To retrieve for a specific time window, select Live and Time Window and specify a time period. For example, specify 8h 30s to retrieve data for the past 8 hours and 30 seconds. This is a one-time search and is performed when the data source is added to Splunk UBA. Micro-batch queries are not used for this search.
- To add historical data from the Splunk platform, select Date Range and select a calendar date range. Only events within the specified calendar window are retrieved. This is a one-time search and is performed when the data source is added to Splunk UBA. Micro-batch queries are not used for this search.
- Click Next.
- Click Source Types to view the source types from your Splunk platform data.
Splunk UBA will try to form a connection with the Splunk platform and find source types across all default indexes. If no source types appear, you may have a firewall rule preventing you from being able to query the Splunk platform. You must be able to connect to the Splunk platform and see at least one data source type before you continue. - Select one data source type and click Next.
- Select Single Format.
- Select the format from the drop-down list of formats.
- Click Next.
- To add the data source in test mode, leave the check box selected. See Add data sources to Splunk UBA in test mode.
- Click OK.
Add data from multiple source types in the Splunk platform to Splunk UBA
Follow this procedure to add multiple data source types from the Splunk platform to Splunk UBA:
- In Splunk UBA, select Manage > Data Sources.
- Click New Data Source.
- Select Splunk as the data source type and click Next.
- Specify a name for the data source, such as Splunk. The data source name must be alphanumeric, with no spaces or special characters.
- Type a connection URL that matches the URL for your Splunk platform or Enterprise Security search head and management port. For example,
https://splunksearchhead.splunk.com:8089
. If you have search head clustering configured and a load balancer is available, you can specify the load balancer host name to avoid a single point failure. Ensure that port 8089 is accessible on the load balancer. - Type the user name and password for the Splunk platform account.
- Select a Connector Type of Splunk Raw Events and click Next.
- Select a time range.
- To continuously retrieve data using time-based micro batch queries, select Live and All time. See How data gets into Splunk UBA.
- To retrieve for a specific time window, select Live and Time Window and specify a time period. For example, specify 8h 30s to retrieve data for the past 8 hours and 30 seconds. This is a one-time search and is performed when the data source is added to Splunk UBA. Micro-batch queries are not used for this search.
- To add historical data from the Splunk platform, select Date Range and select a calendar date range. Only events within the specified calendar window are retrieved. This is a one-time search and is performed when the data source is added to Splunk UBA. Micro-batch queries are not used for this search.
- Click Next.
- Click Source Types to view the source types from your Splunk platform data.
Splunk UBA will try to form a connection with the Splunk platform and find source types across all default indexes. If no source types appear, you may have a firewall rule preventing you from being able to query the Splunk platform. You must be able to connect to the Splunk platform and see at least one data source type before you continue. - Select one data source type and click Next.
- Select Multiple Formats.
- Click Edit Splunk Types Mapping.
- Review the list of existing mappings for the data source types you want to add.
If your data source type is not listed, click Add Mapping and type the Splunk source type in the Splunk Type text box.Do not remove any of the existing mappings, as they may be used by other data sources in your system.
- Select the UBA Format that matches each data source type from the drop-down list of formats. Specify the Splunk Type in all capital letters.
- Click OK to save the data source type mapping.
- Click Next.
- To add the data source in test mode, leave the check box selected. See Add data sources to Splunk UBA in test mode.
- Click OK.
Add CIM-compliant data from the Splunk platform to Splunk UBA | Add custom data to Splunk UBA using the generic data source |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!