Splunk® User Behavior Analytics

Develop Custom Content in Splunk User Behavior Analytics

What is the custom use case framework?

Use the custom use case framework in Splunk UBA to create custom data cubes and models and deploy additional use cases not already covered by Splunk UBA's streaming and batch models. Content developers such as security research teams, security experts or professional services members can leverage the functionality of existing time series or rare events models by cloning the models to build a custom use case without writing code or defining algorithms.

Only users with the Content_Developer role have permission to create content in Splunk UBA. See Manage user accounts and account roles in Splunk UBA in Administer Splunk User Behavior Analytics.

Clone existing models or create new models in Splunk UBA

You can clone or create new batch (offline) models in Splunk UBA. You can clone or create the following types of batch models:

When a custom model is created, it remains in test mode until it is activated. Any anomalies generated by a model in test mode also remain in test mode so as to not interfere with ongoing day-to-day operations in Splunk UBA such as threat computations or investigations. When a model is activated, you can delete, ignore, or migrate the test mode anomalies to the production system, thereby making them available to all of Splunk UBA's components.

See Trigger or activate your custom models.

Create new cubes for data aggregation in Splunk UBA

The custom use case framework also provides the ability to create new data cubes. A data cube is a table of aggregated event data used by models to generate content in Splunk UBA. Cubes consist of dimensions and measures:

  • A dimension is a string value from a specific field in an event, such as the user ID.
  • A measure is a mathematical calculation based on a dimension, such as the total number of users.

See Understanding Splunk UBA data cubes.

Set limits for the number of custom models, cubes, measures, and dimensions in Splunk UBA

By default, you can create a maximum of four custom cubes in Splunk UBA, and each cube can have a maximum of six dimensions and three measures. If you want to create additional cubes, you must delete one of the existing custom cubes before you are able create another.

There is no limit to the number of custom models you can create, but you can only activate a maximum of six models at a time. If there are already six active custom models, you must deactivate one custom model before you can activate another.

To customize the number of active custom models and cubes allowed, along with the number of dimensions and measures allowed in each cube, perform the following tasks:

  1. Log in to the management node in your Splunk UBA deployment as the caspida user.
  2. Edit the /etc/caspida/local/conf/uba-site.properties file, then add and configure the properties in the table as desired:
    Property Description Default Value
    custom.cubes.non.deleted.max The maximum number of custom cubes that can be created. 6
    custom.cubes.dimensions.max The maximum number of dimensions allowed in a custom cube. 6
    custom.cubes.measures.max The maximum number of measures allowed in a custom cube. 3
    custom.models.enabled.max The maximum number of active custom models allowed. 6
  3. Run the following command to synchronize the configuration change across all nodes in the cluster:
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
Last modified on 19 December, 2023
  Understanding Splunk UBA data cubes

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters