Requirements for using the Splunk Add-on for Splunk UBA
Before integrating Splunk User Behavior Analytics (UBA) with Splunk Enterprise or Splunk Enterprise Security (ES), meet these requirements:
- Verify that you are using compatible versions of Splunk UBA, Splunk Enterprise, and Splunk ES. See Splunk UBA product compatibility matrix in the Plan and Scale your Splunk UBA Deployment manual.
- Verify that you have properly configured Splunk UBA, Splunk Enterprise, and Splunk ES for integration. See Splunk Enterprise and Splunk ES requirements.
- Verify that you have properly configured authentication for Splunk ES users to access Splunk UBA. See Configure authentication between Splunk UBA and Splunk ES.
Splunk Cloud Platform customers must contact Splunk Support to fully integrate with Splunk UBA. The Splunk Cloud Platform sc_admin role cannot perform Splunk UBA setup.
Splunk Enterprise and Splunk ES requirements
You must meet the following requirements to integrate Splunk UBA with Splunk Enterprise and Splunk ES:
Component | Requirement |
---|---|
Splunk Enterprise | Verify that you have a Splunk Enterprise user account that meets all the requirements listed in Requirements for the Splunk Enterprise user account in the Install and Upgrade Splunk User Behavior Analytics manual. |
Splunk Add-on for Splunk UBA | Verify that the Splunk Add-on for Splunk UBA is installed and enabled on your search head with the ueba index deployed to your indexers. See Deploy the Splunk Add-on for Splunk UBA.
|
Splunk UBA server | Verify that the name of the Splunk UBA server is specified correctly in Splunk ES. The name of the Splunk UBA server that you specified when running the /opt/caspida/bin/Caspida setup command during Splunk UBA installation must match the value stored in the uiServer.host property in the /etc/caspida/local/conf/uba-site.properties file in Splunk UBA. The name of the Splunk UBA server that was specified during setup is stored in the /opt/caspida/conf/deployment/caspida-deployment.conf file.
|
Output connector | Configure an output connector on Splunk UBA to send anomalies and threats from Splunk UBA to Splunk ES.
During this configuration, you must provide a username and password for a Splunk ES account with at least the permissions granted by the |
Splunk ES account | For Splunk UBA version 5.4.0 and higher, the edit_token_http capability is required for the Splunk ES account being used for the UBA-Splunk ES integration.
|
Configure authentication between Splunk UBA and Splunk ES
Starting with release 6.1.0, Splunk ES can use a local user account to integrate with Splunk UBA. To perform the integration, meet the following requirements:
- In Splunk UBA, configure an account with the username of "ubaesuser" (for UBA ES User) and the account role of User (uba_user). See Add a local user account in the Administer Splunk User Behavior Analytics manual.
- In Splunk ES, create the matching credentials. See Add a new credential for UBA input in the Splunk Enterprise Security Administer Splunk Enterprise Security manual.
If you are using a version of Splunk ES lower than 6.1.0, configure Splunk authentication in Splunk UBA to integrate Splunk UBA and Splunk ES. See Configure Splunk authentication using Splunk UBA in the Administer Splunk User Behavior Analytics manual.
About the Splunk Add-on for Splunk UBA | Deploy the Splunk Add-on for Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.4.0, 5.4.1
Feedback submitted, thanks!