Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Audit user activity in Splunk UBA

You can audit user activity in Splunk UBA by reviewing the audit logs in Splunk UBA or by sending audit logs to the Splunk platform for analysis.

User activity logged by Splunk UBA

Audit logs contain the name of the action performed, the type of the action performed, the username of the user performing the action, and the time of the action. In addition, if the action performed affects an entity such as a user or device, Splunk UBA logs the entity type, entity ID, and the URL for the affected entity details page. To see more details about an entity, search the entity ID in the table relevant to the entity type. For example, search an entity ID for a device in the Devices table.

By default, Splunk UBA retains three months of user activity audit logs.

Audit log example

For example, audit logs for the user jgonzalez downloading diagnostic data and then viewing the device details page for a device look as follows:

Action Name Details Username Time
Download Diagnostics modules: All Modules
retentionPeriodInDays: 2
jgonzalez Jun 13, 2017 2:14 PM
View Device Details acme-61669202 jgonzalez Jun 13, 2017 5:33 PM

The device name is a link to the device details page.

Types of user activity logged by Splunk UBA

Splunk UBA logs several types of activity for auditing. All actions performed by users in Splunk UBA are logged for auditing, including visits to dashboards and pages within the application.

Activity category Specific behavior logged
Access and authentication activity User logged in or out.
User account created, modified, or deleted.
Data source changes Data sources added, modified, or deleted.
HR data configuration created
HR data configuration reset
Configure an output connector.
Installation activity Install a content pack.
Install a new or updated license file.
Splunk UBA user activity Navigation and filter activity in the user table.
Navigation and filter activity in the device table.
Navigate to the Models page.
Navigate to the Health Monitor page.
Threat review activity Add a threat to a watchlist.
Add a threat to an allow list.
Anomaly review activity Delete or restore an anomaly.
Change the score of an anomaly.
Add or remove an anomaly from a watchlist.
Deny list and allow list changes Add or remove an entry from the deny list.
Add or remove an entry from the allow list.
Custom threat rule changes Create a custom threat rule.
Modify or delete a custom threat rule.
PII masking behavior Mask PII in Splunk UBA.
Unmask PII in Splunk UBA.

Review the audit logs in Splunk UBA

You can view the audit logs from the past three months in Splunk UBA. Select System > Audit Logs to open the audit logs.

Filter by time, action, username, or entity type to reduce the scope of the audit logs for review. For example, you can examine the activity of a specific user over a period of time, identify the users that performed a sensitive action in a period of time, locate the user that interacted with a specific threat in Splunk UBA, or show all activity for a narrow period of time.

Send audit logs to the Splunk platform for analysis

For complete instructions, see Send Splunk UBA audit events to Splunk ES in Send and Receive Data from the Splunk Platform .

Last modified on 15 December, 2023
Collect diagnostic data from your Splunk UBA deployment   Manage the number of threats and anomalies in your environment

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4,, 5.0.5,, 5.1.0,, 5.2.0, 5.2.1, 5.3.0, 5.4.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters