See all devices on the Devices Table
The Devices Table provides a view of all devices identified in your environment. From the Splunk UBA navigation menu select Explore > Devices to view the table.
By default, the table displays only those devices with a Device Resolution status of Resolved.
The table shows the host name of the device, if known, the device scope, the number of anomalies or threats that involve the device, and the score of the device. Select any row to view more information about the device.
Device scope is set to internal by default.
- External devices are identified by their IP address. To define which IP addresses are internal to your organization, see Configure Splunk UBA in Install and Upgrade Splunk User Behavior Analytics.
- Internal devices are assets such as laptops that belong to your own organization. For more information on how Splunk UBA identifies assets data, see Identify assets in your environment in Get Data into Splunk User Behavior Analytics.
Device resolution in Splunk UBA
The number of devices displayed on dashboards in Splunk UBA refers to the number of resolved devices. Splunk UBA normalizes names of devices based on AD domains and other information in a process called device resolution.
Devices in Splunk UBA are identified by one of the following properties:
- IP address, which is a virtual representation of a device and does not represent any physical device. This property has the lowest rank of the device identifiers.
- MAC address, which is the physical identifier of a device and does not change. This property is the second highest in rank among the device identifiers.
- Host name, which is a virtual but more readable representation of a physical device. Host names are assigned in each individual device or on the DNS server and are easy to recognize, so this property has the highest ranking among the device identifiers.
The rankings are used when determining the status of any device in the system. Device identifiers in Splunk UBA have three potential resolution statuses depending on the information available to associate device identifiers.
|Device resolution status
|Devices in Splunk UBA are unresolved when the only device identifier is an IP address and there is no association with other device identifiers.
For example, a Weblog entry is ingested into Splunk UBA and contains the IP address
|Devices in Splunk UBA change to superseded status when Splunk UBA identifies a DNS name or MAC address associated with the IP address of an unresolved device. The device identifier status for the IP address changes to superseded to reflect the additional information. Also when Splunk UBA identifies a DNS name associated with a MAC address, the MAC address device identifier status updates to superseded.
For example, the same IP address
Suppose a DNS log entry contains both the IP address
|The device identifier is a DNS name or a MAC address, and might have an IP address associated with it. A device with only an IP addresses associated with it can never have a status of resolved.
The process of device resolution is summarized in the flowchart:
Splunk UBA ingests asset data from Splunk Enterprise daily using asset lookup queries. Asset data is used by Splunk UBA to perform device resolution. For more information, see Identify assets in your environment in Get Data into Splunk User Behavior Analytics.
Only resolved device identifiers appear on Splunk UBA dashboards. The data science models in Splunk UBA only use resolved devices. By default, Splunk UBA treats all devices as internal devices, unless they are represented by an external domain name or a routable IP address.
You must define the AD domains in use in your organization for device names to be accurately identified. For details, see Define the AD domains in use for devices in Install and Upgrade Splunk User Behavior Analytics.
Review the device details
Click on any device listed in the Device Table to view the device details. The following information is available:
- Review the Device Facts including the device IP address, MAC address, device scope, and device type.
- Review the Device Score Trend to see how the risk score for the device has changed over time.
- Review the Data Transfer by User and Logins by User to see how much data was transferred by which user, and which users have logged on to the device and how frequently. Select View Details for more information.
- Review the User Attributions for a summary of each user interaction with the device over time. The start time, end time, duration, and number of events generated for each session is available.
- Review the Device Event for information on how the device was created in the system.
- If the device has any location data, you can view the location of the device on the Device Location map.
See all users on the User Table
Customize a table view in Splunk UBA
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 188.8.131.52, 5.2.0, 5.2.1, 5.3.0