Splunk® User Behavior Analytics

Release Notes

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Welcome to Splunk UBA 5.4.0

Splunk UBA 5.4.0 is a major release. See About Splunk User Behavior Analytics and release types for more information about the different types of Splunk UBA releases.

If you are new to Splunk UBA, review all the steps in the Splunk UBA installation checklist before installing Splunk UBA.

Splunk UBA version 5.3.0 and higher mean the End of Support for UBA 5.0.x versions. For more information, see the Splunk Software Support Policy

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk UBA, read the following documents before you get started:

What's new in 5.4.0

Splunk UBA version 5.4.0 includes the following features and changes:

Feature, enhancement, or change Description
Operating System updates: The 5.4.0 release supports the following operating systems:
  • Ubuntu version 20.04 (upgrades only, not new installations).
  • RHEL version 8.8 (new installations and upgrades).
  • RHEL version 8.6 (upgrades only, not new installations).
  • Oracle/Linux (OEL) version 8.9 (new installations and upgrades).
    • OEL Leapp updated its base operating system to OEL version 8.10. OEL 8.10 has been tested for UBA 5.4.0 but does require an additional step at upgrade stage. Alternately, you can refrain from upgrading until the release of UBA version 5.4.1.

  • Oracle/Linux (OEL) version 8.8 (upgrades only, not new installations).

For more information, see Operating system requirements in the Install and Upgrade Splunk User Behavior Analytics manual.

Sending anomalies, threats, and audit events to Splunk ES UBA now uses the HTTP Event Collector (HEC) to send events to the Splunk platform, and no longer uses the TCP inputs.conf stanza.

The following changes apply to Splunk UBA version 5.4.0 and higher:

  • The uba.splunkes.integration.enabled field must be set to true in uba-site.properties on the Splunk UBA management node.
  • The Splunk ES account being used for UBA-ES integration must have the edit_token_http capability.
  • Port 8088 must be open on the Splunk ES search head.
  • Add connection_host = ip to the HTTP Event Collector (HEC) inputs.conf on the Splunk ES search head. This ensures that the host field remains the sender's (UBA) IP address instead of the default HEC host and port.
  • Splunk Cloud users must set up a HEC token to receive anomalies, threats, and audit events, and have the Splunk Universal Forwarder app installed.
  • Customers with existing UBA-ES integrations must comment out or remove the previously configured [tcp-ssl:10008] stanza from the Splunk_TA_ueba inputs.conf on the Splunk ES search head to avoid having an unused listener.

For more details, see Send Splunk UBA anomalies and threats to Splunk ES as notable events and Send Splunk UBA audit events to Splunk ES.

Splunk Enterprise Security Risk Based Alerting enhancements Splunk UBA can now directly create and send risk events to Splunk Enterprise Security (ES). UBA version 5.4.0 and higher uses the Splunk HTTP Event Collector (HEC) rather than correlation searches.

See the the "Send risk events and turn off UBA Correlation Searches in ES" option in Add an output connector in Splunk UBA in the Send and Receive Data from the Splunk Platform manual.

Networking requirements changes Open the HTTP Event Collector (HEC) port to send events from Splunk UBA to the Splunk Platform. See Splunk platform port requirements in the Install and Upgrade Splunk User Behavior Analytics manual.
FIPS compliance Federal Information Processing Standard (FIPS) compliance is available with Splunk UBA version 5.4.0 and higher. Complete the steps to turn FIPS on during the install or upgrade process, on each Splunk UBA node.

For details, see the "Turn on FIPS compliance" section on the install or upgrade documentation for your Splunk UBA instance:

Turning on FIPS compliance must occur at a specific stage of the UBA install or upgrade process.

Usage Data collection Changes have been made to what anonymized data Splunk User Behavior Analytics as deployed on Splunk Enterprise sends Splunk Inc. For details, see Share data in Splunk UBA.
Windows XML Events onboarding enhancements There is a new way to get Windows XML events into UBA. See Use the Splunk Raw Events connector to get XML Windows events into Splunk UBA in the Get Data into Splunk User Behavior Analytics manual.
Windows Powershell Events processing enhancements Processing is improved for Windows Powershell Events in both Multiline and EVTX formats for the Splunk Raw Events connector type. Enhancements in processing apply to the Event IDs 4103, 4104, and 4688.
False Positive Suppression Model A new offline batch model is now available. See the False Positive Suppression Model in the Use Splunk User Behavior Analytics manual.
Rare Events Model Scaling Introduction of a new parameter to address potential memory usage issues during Rare Event Model execution. See Rare Events Model Scaling in the Use Splunk User Behavior Analytics manual.
Time-series model enhancements Splunk UBA time-series models, including the Unusual Volume of File Access Related Events per User Model, have been enhanced for version 5.4.0. Enhancements include bugs fixes and performance improvements. Model execution time, max shuffle reads and writes, and max disk and memory spills have all been addressed. See Available time-series models in the Use Splunk User Behavior Analytics manual.
Batch model enhancements Splunk UBA batch models, including the Account Exfiltration and Device Exfiltration models, have been enhanced for version 5.4.0. Enhancements include bugs fixes and performance improvements. Model execution time, max shuffle reads and writes, and max disk and memory spills have all been addressed. See Account Exfiltration Model and Device Exfiltration Model in the Use Splunk User Behavior Analytics manual.
New blog post A new blog post has been published. See Building At-Scale User Behavior Analytics for Splunk UBA: Enhance Performance of Account & Device Exfiltration Models.

Splunk UBA external dependencies

You can download a PDF file listing the external dependencies required to install Splunk UBA:

Do not independently upgrade the following UBA-dependent components to avoid impacting UBA operations:

  • docker
  • hadoop
  • hive
  • impala
  • influxdb
  • kafka
  • kubernetes
  • nodejs
  • openjdk
  • postgresql
  • protobuf
  • redis
  • spark
  • zookeeper
Last modified on 01 August, 2024
  Known issues in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters