Send Splunk UBA user and device association data to Splunk ES
You can set up Splunk User Behavior Analytics (UBA) to send user and device association data to Splunk Enterprise Security (ES). User and device association data from Splunk UBA is visible on the Session Center dashboard in Splunk ES. See Session Center dashboard in the Use Splunk Enterprise Security manual.
For Splunk UBA version 5.4.0 and higher, the Splunk ES account being used for UBA-ES integration must have the edit_token_http
capability.
Set up authentication between UBA and Splunk ES
Complete these tasks to set up authentication between UBA and Splunk ES:
- Add a new user to UBA.
- Add new credentials for UBA input in Splunk Enterprise Security.
Add a new user to UBA
You must have a ubaesuser
in UBA to authenticate requests from the SA-UEBA app. Complete the following steps to add this user:
- Log in to the Splunk UBA management server.
- In Splunk UBA, select Manage > UBA Accounts.
- Select New User Accounts and add a new user.
- Add a new user. The user name must be
ubaesuser
. - Provide the role of user.
- Provide the password and create the user.
Add new credentials for UBA input in Splunk ES
Splunk ES uses a specific local UBA username and password authentication to integrate with UBA. See Manage credentials in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.
- In Splunk ES, select Configure > General > Credential Management.
- Select New Credential.
- Input the Username as
ubaesuser
. - Input the Realm as
uba
. - Input the password for the
ubaesuser
user that you set up in the previous section. Input this password again to confirm. - Select the SA-UEBA app.
- Select Save.
For the integration to work correctly, this ubaesuser
user needs to exist in both UBA and Splunk ES. If the password for this user needs to change, it must be changed in both places.
Change a property in UBA
- Log in to the UBA management server as the caspida user using SSH.
- Open the
/etc/caspida/local/conf/uba-site.properties
file. - Edit or create the
identity.resolution.export.enabled
setting and set it totrue
:identity.resolution.export.enabled=true
- Restart the UBA web interface service for the changes to take effect:
sudo service caspida-ui stop sudo service caspida-ui start
Set up UBA in Splunk ES
- In Splunk ES select Configure > UBA Setup.
- Turn on Identity Integration.
- In the Server Address field input the UBA host with
http
orhttps
. No port number is required. - Save the changes.
A restart of your Splunk instance is required.
View user and device association information from UBA in Splunk ES
Follow these steps to view UBA user and device association information in Splunk ES:
In UBA the available entity types are Generic, Device, and User. In Splunk ES only Device and User are available.
- In Splunk ES go to Security Domains > Identity > Session center – User Behavior Analytics. Without any search criteria, and with only the search entity type (User/Device), all the entries do not appear in the search under the UBA tab in the ES interface.
- From the Select entity type drop-down menu select User or Device and a time frame to see the associations.
Send Splunk UBA audit events to Splunk ES |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.4.0
Feedback submitted, thanks!