Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Get data into Splunk UBA

Splunk UBA uses data from the Splunk platform to identify potential insider and external threats to your environment. Work with Splunk Professional Services to get started with importing important data sources and filtering events.

Before you begin

Before you add data sources to Splunk UBA, run the following script to verify that the software is working correctly and is properly configured:


The script checks the status of the following configurations:

  • Admin users are correctly identified and normalized.
  • Email is set up to send alerts, changes made for the geolocation on the UI, internal domains /etc/caspida/local/conf/uba-site.properties file.
  • Internal IPs are set up /etc/caspida/local/conf/etl/configuration/EntityValidations.json file.
  • Competitive domains are set up in the /etc/caspida/local/conf/competitorDomains.txt file.
  • Verify network access to Google Maps, VirusTotal, WHOIS, MaxMind external services.

Add data sources to Splunk UBA

Complete the following steps to properly get data into Splunk UBA.

  1. Verify you have the correct permissions. See Requirements for connecting to and getting data from the Splunk platform.
  2. (Optional) See which data source types are supported in Splunk UBA. See View supported data source types and prepare to add data sources to Splunk UBA.
  3. Get HR data into Splunk UBA. See Get HR data into Splunk UBA.
  4. Get assets and identity data into Splunk UBA. See Identify assets in your environment.
  5. Configure allow lists and deny lists in Splunk UBA for domains, IP addresses, or users. See Use allow and deny lists to generate or suppress anomalies.
  6. Get data from the Splunk platform into Splunk UBA. See Use connectors to add data from the Splunk platform to Splunk UBA. You can get started with a smaller dataset before ingesting all of your data. See Get started with a small dataset.
  7. Review and verify your data sources. See Verify that you successfully added the data source.

View supported data source types and prepare to add data sources to Splunk UBA

Before you add new data sources, review the types of data that you want to add and determine which ones Splunk UBA supports. See Which data sources do I need?.

Perform the following steps to view the data source types supported by Splunk UBA:

  1. In Splunk UBA, select Manage > Data Sources.
  2. Click New Data Source.
  3. Review the data source types on the Data Source Type page. The supported data source types that can be added to Splunk UBA are listed on this page.

After you determine which data sources you can add, make sure that existing event filters do not affect the new data sources. Review the existing event filters to check for settings that negatively affect future data uploads. For example, an event filter that excludes source_IP data from one data source will affect the new data source. Modify the filters as needed as new data sources are added.

Splunk UBA provides support for English language logs only.

Get started with a small dataset

Get started with a smaller set of data before working in a full production environment. This is useful for verifying that the data coming into Splunk UBA is properly configured and mapped so that you see the desired anomalies and threats.

There are several ways to use a small dataset to get started in Splunk UBA:

Last modified on 20 December, 2023
Which data sources do I need?   Add file-based data sources to Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.2.0, 5.2.1, 5.3.0, 5.4.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters