Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Manage Splunk UBA configuration properties in the uba-site.properties file

Configure Splunk UBA by adding or editing properties in the /etc/caspida/local/conf/uba-site.properties file.

Customizations made in this file are not modified during any Splunk UBA upgrade procedures.

You can configure the following product areas in Splunk UBA by adding or editing properties in the /etc/caspida/local/conf/uba-site.properties file:

In the tables in each section, the values in the Default behavior column indicate the default Splunk UBA behavior when a configuration property is not set.

How to set configuration properties in Splunk UBA

A file called /opt/caspida/conf/uba-default.properties is used by Splunk UBA to manage many of the processes and micro-services required to operate Splunk UBA. To edit any of these default properties, or to add new properties, copy this file to /etc/caspida/local/conf/uba-site.properties file. Only edit the uba-site.properties file when changes are required. The /etc/caspida/local/conf directory is not affected by any upgrade scripts so configuration changes in this location can persist across product upgrades.

Perform the following steps to edit the /etc/caspida/local/conf/uba-site.properties and have the changes take effect:

  1. Log in to the Splunk UBA management node as the caspida user.
  2. Edit the /etc/caspida/local/conf/uba-site.properties file and add or edit the desired property and value.
  3. Save and exit the file.
  4. Synchronize the configuration changes across the cluster: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf

Depending on the service you are configuring, there might be additional steps required in order for the configuration property changes to take effect.

Splunk UBA environment properties

The following configuration properties affect your Splunk UBA setup:

Property Description Default behavior
system.docker.networkcidr Use this property to customize the IP addresses of your Docker containers to avoid conflicts in your network. See Change the IP address of your Docker containers.


To set this configuration property:

  1. Stop Splunk UBA: 
    /opt/caspida/bin/Caspida stop-all
  2. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  3. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  4. Start Splunk UBA: 
    /opt/caspida/bin/Caspida start-all
 Not set.
ui.idleTimeout Use this property to change or disable the timeout value for the Splunk UBA web interface. See Disable the Splunk UBA web interface timeout.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Stop the Splunk UBA web interface service: 
    sudo service caspida-ui stop
  3. Start the Splunk UBA web interface service: 
    sudo service caspida-ui start
 1800000 milliseconds (30 minutes)
Health monitor indicators Many health monitor indicators have configurable properties that allow you change the threshold at which a warning or error is generated. See Health Monitor status code reference. Varies.

Splunk UBA and Splunk Enterprise Security integration properties

The following are configuration properties for Splunk UBA and Splunk Enterprise Security (ES) integration:

Property Description Default behavior
uba.splunkes.retry.delay.minutes Configure how often Splunk UBA sends threats to Splunk ES. See How threats and notables are synchronized in the Send and Receive Data from the Splunk Platform manual.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
 5 minutes
uiServer.host The name of the Splunk UBA server specified when running the /opt/caspida/bin/Caspida setup command during Splunk UBA installation must match the value stored in the uiServer.host property in the /etc/caspida/local/conf/uba-site.properties file in Splunk UBA. See Splunk Enterprise and Splunk ES requirements in the Send and Receive Data from the Splunk Platform manual.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Restart the Splunk UBA web interface service: 
    sudo service caspida-ui restart
 N/A
uba.sys.audit.push.splunk.enabled Set this property to true to enable Splunk UBA audit events to be sent to Splunk ES. See Send audit events to Splunk ES in the Send and Receive Data from the Splunk Platform manual.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Stop Splunk UBA services: 
    /opt/caspida/bin/Caspida stop
  4. Start Splunk UBA services: 
    /opt/caspida/bin/Caspida start
 Not set.
identity.resolution.export.enabled Set this property to true to send user and device association data from Splunk UBA to Splunk ES. User and device association data from Splunk UBA is visible on the Session Center dashboard in Splunk ES. See Set up Splunk UBA to send user and device association data to Splunk ES in the Send and Receive Data from the Splunk Platform manual.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Stop the Splunk UBA web interface service: 
    sudo service caspida-ui stop
  3. Start the Splunk UBA web interface service: 
    sudo service caspida-ui start
 true

Event drilldown properties

The following are configuration properties for using event drilldown in Splunk UBA:

Property Description Default behavior
triggering.event.pre.calculate.links.anomaly.threshold Adjust the anomaly score threshold for caching the SPL to retrieve contributing anomalies. See Splunk UBA caches the SPL for important anomalies in Use Splunk User Behavior Analytics.


To set the configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Stop the Splunk UBA job manager service: 
    sudo service caspida-jobmanager stop
  3. Start the Splunk UBA job manager service: 
    sudo service caspida-jobmanager start
 8
triggering.event.timeout.millis Timeout value for the SPL in retrieving an anomaly's contributing events. See Configure properties to increase the timeout interval in Use Splunk User Behavior Analytics.


To set the configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Stop the Splunk UBA job manager service: 
    sudo service caspida-jobmanager stop
  3. Start the Splunk UBA job manager service: 
    sudo service caspida-jobmanager start
 300000
triggering.event.enable.reverse.ir Whether or not to enable reverse identity resolution (IR). See reverse IR to view contributing events Documentation:UBA:User:TriggeringEvents in Use Splunk User Behavior Analytics.


To set the configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Stop the Splunk UBA job manager service: 
    sudo service caspida-jobmanager stop
  3. Start the Splunk UBA job manager service: 
    sudo service caspida-jobmanager start
 false
triggering.event.search.backend.submission Submit the generated SPL to the Splunk platform using same credentials as the one used to create the data source. See Working with long URLs in Use Splunk User Behavior Analytics.


To set the configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Stop the Splunk UBA job manager service: 
    sudo service caspida-jobmanager stop
  3. Start the Splunk UBA job manager service: 
    sudo service caspida-jobmanager start
 true

Raw event data ingestion properties

The following are configuration properties for Splunk UBA to ingest raw events from the Splunk platform:

Property Description Default behavior
splunk.live.micro.batching Splunk UBA ingests data from the Splunk platform by performing micro batch queries. See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Stop Splunk UBA services: 
    /opt/caspida/bin/Caspida stop
  4. Start Splunk UBA services: 
    /opt/caspida/bin/Caspida start
 true
splunk.live.micro.batching.delay.seconds or

splunk.micro.batching.search.delay.seconds.<dataSourceName>

Define the point in time where Splunk UBA begins data ingestion. See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Stop Splunk UBA services: 
    /opt/caspida/bin/Caspida stop
  4. Start Splunk UBA services: 
    /opt/caspida/bin/Caspida start
 180 seconds
splunk.live.micro.batching.interval.seconds or

splunk.micro.batching.search.interval.seconds.<dataSourceName>

The length of time for each micro batch query. See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Stop Splunk UBA services: 
    /opt/caspida/bin/Caspida stop
  4. Start Splunk UBA services: 
    /opt/caspida/bin/Caspida start
 60 seconds
connector.splunk.max.backtrace.time.in.hour The window of time that determines when to begin data ingestion, especially after a data source is stopped and then restarted. See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Stop Splunk UBA services: 
    /opt/caspida/bin/Caspida stop
  4. Start Splunk UBA services: 
    /opt/caspida/bin/Caspida start
 4 hours
parser.global.input_timezone Set the time zone you want to use when ingesting events, in particular for file-based data sources. See Add file-based data sources to Splunk UBA in Get Data into Splunk User Behavior Analytics.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Stop Splunk UBA container services: 
    /opt/caspida/bin/Caspida stop-containers
  4. Start Splunk UBA container services: 
    /opt/caspida/bin/Caspida start-containers
 UTC

Asset and identity data ingestion properties

The following are configuration properties for Splunk UBA to ingest asset and identity data:

Property Description Default behavior
attribution.keyvalue.delimiter The delimiter to use when ingesting assets data with multi-values fields. See Configure asset ingestion for multi-valued fields in Get Data into Splunk User Behavior Analytics.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Restart Splunk UBA services: 
    /opt/caspida/bin/Caspida restart
 Comma (,)
assets.proxy.query.adformat Specify whether Splunk UBA should use MULTILINE or XML format when querying Windows Security Event logs for proxy servers. See Perform asset identification by using the Splunk Assets data source in Get Data into Splunk User Behavior Analytics.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Stop the Splunk UBA job manager service: 
    sudo service caspida-jobmanager stop
  4. Start the Splunk UBA job manager service: 
    sudo service caspida-jobmanager start
 MULTILINE
identity.resolution.blacklist.threshold.device.hostnamecount To help Splunk UBA identify multi-user systems, data from last 24 hours is analyzed to find occurrences of more than 2 device mappings per hour for more than 6 hours. Edit this property to change the number of device mappings. See View IDR exclusion lists in Splunk UBA in Get Data into Splunk User Behavior Analytics.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Restart the data sources.
 2
identity.resolution.blacklist.threshold.device.hostnamehours To help Splunk UBA identify multi-user systems, data from last 24 hours is analyzed to find occurrences of more than 2 device mappings per hour for more than 6 hours. Edit this property to change the number of consecutive hours. See View IDR exclusion lists in Splunk UBA in Get Data into Splunk User Behavior Analytics.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Restart the data sources.
 6
identity.resolution.hrcache.capacity Set the value of this property to three times the number of HR accounts being monitored by Splunk UBA to avoid potential performance issues. See Set the HR data cache capacity in the Get Data into Splunk User Behavior Analytics manual.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
 300,000

Kafka data ingestion properties

The following are configuration properties related to anomalies and threats in Splunk UBA:

For additional documentation, see Configure Kafka data ingestion in the Splunk UBA Kafka Ingestion App manual.

Property Description Default behavior
splunk.kafka.ingestion.search.delay.seconds The point in time where Splunk UBA begins Kafka ingestion.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Stop Splunk UBA services: 
    /opt/caspida/bin/Caspida stop
  4. Start Splunk UBA services: 
    /opt/caspida/bin/Caspida start
 180 seconds
splunk.kafka.ingestion.search.interval.seconds The length of the time in seconds for each batch query.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Stop Splunk UBA services: 
    /opt/caspida/bin/Caspida stop
  4. Start Splunk UBA services: 
    /opt/caspida/bin/Caspida start
 60 seconds
splunk.kafka.ingestion.search.max.lag.seconds The maximum, lag, or amount of time between the end time of the most recent batch query and the time Kafka ingestion starts.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Stop Splunk UBA services: 
    /opt/caspida/bin/Caspida stop
  4. Start Splunk UBA services: 
    /opt/caspida/bin/Caspida start
 3600 seconds

Anomaly and threat properties

The following are configuration properties related to anomalies and threats in Splunk UBA:

Property Description Default behavior
entity.score.lookbackWindowMonths Entity scoring is based on anomalies and threats from the past 2 months. Configure this property to change the time window. See Filter the scope of anomalies and threats in Use Splunk User Behavior Analytics.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Stop Splunk UBA container services: 
    /opt/caspida/bin/Caspida stop-containers
  3. Start Splunk UBA container services: 
    /opt/caspida/bin/Caspida start-containers
 2 months
persistence.anomalies.trashed.maintain.days Splunk UBA purges anomalies more than 90 days old. Configure the property to change this value. See Splunk UBA cleans up old anomalies in the trash in User Splunk User Behavior Analytics.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
 90 days
persistance.anomalies.trashed.del.limit Splunk UBA removes batches of 300,000 anomalies when purging old anomalies. Configure the property to change the batch size. See Splunk UBA cleans up old anomalies in the trash in User Splunk User Behavior Analytics.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
 300,000
rule.engine.process.timeout.min The number of minutes allowed for a threat rule to run and complete before it times out. See Manage the number of threats and anomalies in your environment in User Splunk User Behavior Analytics.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Restart the offline rule executor: 
    sudo service caspida-offlineruleexec restart
 60

Backup and restore properties

The following are configuration properties related to backup and restore in Splunk UBA:

For more information about these configuration properties, see Backup and restore Splunk UBA using automated incremental backups.

Property Description Default behavior
backup.filesystem.full.interval The frequency with which Splunk UBA performs an automated full backup without stopping Splunk UBA.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
 1 week
backup.filesystem.enabled Set this property to designate whether or not automated backups are enabled on the system.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
 true
backup.filesystem.directory Set this property to designate the location where the automated backups are stored.


To set this configuration property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
 /backup

Warm standby properties

The following are configuration properties related to warm standby in Splunk UBA:

For more information about these properties, see Set up the standby Splunk UBA system.

Property Description Default behavior
replication.enabled Set this property to enable the primary system to synchronize with the standby system.


To configure this property:

  1. Stop Splunk UBA: 
    Caspida stop
  2. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  3. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  4. Start Splunk UBA: 
    Caspida start
 Not set
replication.primary.host Specify the management node of the primary Splunk UBA cluster.


To configure this property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
 Not set
replication.standby.host Specify the management node of the standby Splunk UBA cluster.


To configure this property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
 Not set

Custom content properties

The following are configuration properties related to custom models and cubes in Splunk UBA:

For more information about these properties, see Set limits for the number of custom models, cubes, measures and dimensions in Splunk UBA in the Develop Custom Content in Splunk User Behavior Analytics manual.

Property Description Default behavior
custom.cubes.non.deleted.max The maximum number of custom cubes that can be created.


To configure this property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
 6
custom.cubes.dimensions.max The maximum number of dimensions allowed in a custom cube.


To configure this property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
 6
custom.cubes.measures.max The maximum number of measures allowed in a custom cube.


To configure this property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
 3
custom.models.enabled.max The maximum number of active custom models allowed.


To configure this property:

  1. Set the property to the desired value in the /etc/caspida/local/conf/uba-site.properties file.
  2. Synchronize the change across all Splunk UBA nodes: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
 6
Last modified on 10 October, 2024
Start and stop Splunk UBA services from the command line   When jobs run in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters