Manage Splunk UBA configuration properties in the uba-site.properties file
Configure Splunk UBA by adding or editing properties in the /etc/caspida/local/conf/uba-site.properties
file.
Customizations made in this file are not modified during any Splunk UBA upgrade procedures.
You can configure the following product areas in Splunk UBA by adding or editing properties in the /etc/caspida/local/conf/uba-site.properties
file:
- Splunk UBA environment properties
- Splunk UBA and Splunk Enterprise Security (ES) properties
- Event drilldown properties
- Raw event data ingestion properties
- Asset and identity data ingestion properties
- Kafka data ingestion properties
- Anomaly and threat properties
- Backup and restore properties
In the tables in each section, the values in the Default behavior column indicate the default Splunk UBA behavior when a configuration property is not set.
How to set configuration properties in Splunk UBA
A file called /opt/caspida/conf/uba-default.properties
is used by Splunk UBA to manage many of the processes and micro-services required to operate Splunk UBA. To edit any of these default properties, or to add new properties, copy this file to /etc/caspida/local/conf/uba-site.properties
file. Only edit the uba-site.properties
file when changes are required. The /etc/caspida/local/conf
directory is not affected by any upgrade scripts so configuration changes in this location can persist across product upgrades.
Perform the following steps to edit the /etc/caspida/local/conf/uba-site.properties
and have the changes take effect:
- Log in to the Splunk UBA management node as the caspida user.
- Edit the
/etc/caspida/local/conf/uba-site.properties
file and add or edit the desired property and value. - Save and exit the file.
- Synchronize the configuration changes across the cluster:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
Depending on the service you are configuring, there might be additional steps required in order for the configuration property changes to take effect.
Splunk UBA environment properties
The following configuration properties affect your Splunk UBA setup:
Property | Description | Default behavior |
---|---|---|
system.docker.networkcidr | Use this property to customize the IP addresses of your Docker containers to avoid conflicts in your network. See Change the IP address of your Docker containers.
|
Not set. |
ui.idleTimeout | Use this property to change or disable the timeout value for the Splunk UBA web interface. See Disable the Splunk UBA web interface timeout.
|
1800000 milliseconds (30 minutes) |
Health monitor indicators | Many health monitor indicators have configurable properties that allow you change the threshold at which a warning or error is generated. See Health Monitor status code reference. | Varies. |
Splunk UBA and Splunk Enterprise Security integration properties
The following are configuration properties for Splunk UBA and Splunk Enterprise Security (ES) integration:
Property | Description | Default behavior |
---|---|---|
uba.splunkes.retry.delay.minutes | Configure how often Splunk UBA sends threats to Splunk ES. See How threats and notables are synchronized in the Send and Receive Data from the Splunk Platform manual.
|
5 minutes |
uiServer.host | The name of the Splunk UBA server specified when running the /opt/caspida/bin/Caspida setup command during Splunk UBA installation must match the value stored in the uiServer.host property in the /etc/caspida/local/conf/uba-site.properties file in Splunk UBA. See Splunk Enterprise and Splunk ES requirements in the Send and Receive Data from the Splunk Platform manual.
|
N/A |
uba.sys.audit.push.splunk.enabled | Set this property to true to enable Splunk UBA audit events to be sent to Splunk ES. See Send audit events to Splunk ES in the Send and Receive Data from the Splunk Platform manual.
|
Not set. |
identity.resolution.export.enabled | Set this property to true to send user and device association data from Splunk UBA to Splunk ES. User and device association data from Splunk UBA is visible on the Session Center dashboard in Splunk ES. See Set up Splunk UBA to send user and device association data to Splunk ES in the Send and Receive Data from the Splunk Platform manual.
|
true |
Event drilldown properties
The following are configuration properties for using event drilldown in Splunk UBA:
Property | Description | Default behavior |
---|---|---|
triggering.event.pre.calculate.links.anomaly.threshold | Adjust the anomaly score threshold for caching the SPL to retrieve contributing anomalies. See Splunk UBA caches the SPL for important anomalies in Use Splunk User Behavior Analytics.
|
8 |
triggering.event.timeout.millis | Timeout value for the SPL in retrieving an anomaly's contributing events. See Configure properties to increase the timeout interval in Use Splunk User Behavior Analytics.
|
300000 |
triggering.event.enable.reverse.ir | Whether or not to enable reverse identity resolution (IR). See reverse IR to view contributing events Documentation:UBA:User:TriggeringEvents in Use Splunk User Behavior Analytics.
|
false |
triggering.event.search.backend.submission | Submit the generated SPL to the Splunk platform using same credentials as the one used to create the data source. See Working with long URLs in Use Splunk User Behavior Analytics.
|
true |
Raw event data ingestion properties
The following are configuration properties for Splunk UBA to ingest raw events from the Splunk platform:
Property | Description | Default behavior |
---|---|---|
splunk.live.micro.batching | Splunk UBA ingests data from the Splunk platform by performing micro batch queries. See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.
|
true |
splunk.live.micro.batching.delay.seconds or
splunk.micro.batching.search.delay.seconds.<dataSourceName> |
Define the point in time where Splunk UBA begins data ingestion. See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.
|
180 seconds |
splunk.live.micro.batching.interval.seconds or
splunk.micro.batching.search.interval.seconds.<dataSourceName> |
The length of time for each micro batch query. See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.
|
60 seconds |
connector.splunk.max.backtrace.time.in.hour | The window of time that determines when to begin data ingestion, especially after a data source is stopped and then restarted. See How data gets in to Splunk UBA in Get Data into Splunk User Behavior Analytics.
|
4 hours |
parser.global.input_timezone | Set the time zone you want to use when ingesting events, in particular for file-based data sources. See Add file-based data sources to Splunk UBA in Get Data into Splunk User Behavior Analytics.
|
UTC |
Asset and identity data ingestion properties
The following are configuration properties for Splunk UBA to ingest asset and identity data:
Property | Description | Default behavior |
---|---|---|
attribution.keyvalue.delimiter | The delimiter to use when ingesting assets data with multi-values fields. See Configure asset ingestion for multi-valued fields in Get Data into Splunk User Behavior Analytics.
|
Comma (,) |
assets.proxy.query.adformat | Specify whether Splunk UBA should use MULTILINE or XML format when querying Windows Security Event logs for proxy servers. See Perform asset identification by using the Splunk Assets data source in Get Data into Splunk User Behavior Analytics.
|
MULTILINE |
identity.resolution.blacklist.threshold.device.hostnamecount | To help Splunk UBA identify multi-user systems, data from last 24 hours is analyzed to find occurrences of more than 2 device mappings per hour for more than 6 hours. Edit this property to change the number of device mappings. See View IDR exclusion lists in Splunk UBA in Get Data into Splunk User Behavior Analytics.
|
2 |
identity.resolution.blacklist.threshold.device.hostnamehours | To help Splunk UBA identify multi-user systems, data from last 24 hours is analyzed to find occurrences of more than 2 device mappings per hour for more than 6 hours. Edit this property to change the number of consecutive hours. See View IDR exclusion lists in Splunk UBA in Get Data into Splunk User Behavior Analytics.
|
6 |
identity.resolution.hrcache.capacity | Set the value of this property to three times the number of HR accounts being monitored by Splunk UBA to avoid potential performance issues. See Set the HR data cache capacity in the Get Data into Splunk User Behavior Analytics manual.
|
300,000 |
Kafka data ingestion properties
The following are configuration properties related to anomalies and threats in Splunk UBA:
For additional documentation, see Configure Kafka data ingestion in the Splunk UBA Kafka Ingestion App manual.
Property | Description | Default behavior |
---|---|---|
splunk.kafka.ingestion.search.delay.seconds | The point in time where Splunk UBA begins Kafka ingestion.
|
180 seconds |
splunk.kafka.ingestion.search.interval.seconds | The length of the time in seconds for each batch query.
|
60 seconds |
splunk.kafka.ingestion.search.max.lag.seconds | The maximum, lag, or amount of time between the end time of the most recent batch query and the time Kafka ingestion starts.
|
3600 seconds |
Anomaly and threat properties
The following are configuration properties related to anomalies and threats in Splunk UBA:
Property | Description | Default behavior |
---|---|---|
entity.score.lookbackWindowMonths | Entity scoring is based on anomalies and threats from the past 2 months. Configure this property to change the time window. See Filter the scope of anomalies and threats in Use Splunk User Behavior Analytics.
|
2 months |
persistence.anomalies.trashed.maintain.days | Splunk UBA purges anomalies more than 90 days old. Configure the property to change this value. See Splunk UBA cleans up old anomalies in the trash in User Splunk User Behavior Analytics.
|
90 days |
persistance.anomalies.trashed.del.limit | Splunk UBA removes batches of 300,000 anomalies when purging old anomalies. Configure the property to change the batch size. See Splunk UBA cleans up old anomalies in the trash in User Splunk User Behavior Analytics.
|
300,000 |
rule.engine.process.timeout.min | The number of minutes allowed for a threat rule to run and complete before it times out. See Manage the number of threats and anomalies in your environment in User Splunk User Behavior Analytics.
|
60 |
Backup and restore properties
The following are configuration properties related to backup and restore in Splunk UBA:
For more information about these configuration properties, see Backup and restore Splunk UBA using automated incremental backups.
Property | Description | Default behavior |
---|---|---|
backup.filesystem.full.interval | The frequency with which Splunk UBA performs an automated full backup without stopping Splunk UBA.
|
1 week |
backup.filesystem.enabled | Set this property to designate whether or not automated backups are enabled on the system.
|
true |
backup.filesystem.directory | Set this property to designate the location where the automated backups are stored.
|
/backup |
Warm standby properties
The following are configuration properties related to warm standby in Splunk UBA:
For more information about these properties, see Set up the standby Splunk UBA system.
Property | Description | Default behavior |
---|---|---|
replication.enabled | Set this property to enable the primary system to synchronize with the standby system.
|
Not set |
replication.primary.host | Specify the management node of the primary Splunk UBA cluster.
|
Not set |
replication.standby.host | Specify the management node of the standby Splunk UBA cluster.
|
Not set |
Custom content properties
The following are configuration properties related to custom models and cubes in Splunk UBA:
For more information about these properties, see Set limits for the number of custom models, cubes, measures and dimensions in Splunk UBA in the Develop Custom Content in Splunk User Behavior Analytics manual.
Property | Description | Default behavior |
---|---|---|
custom.cubes.non.deleted.max | The maximum number of custom cubes that can be created.
|
6 |
custom.cubes.dimensions.max | The maximum number of dimensions allowed in a custom cube.
|
6 |
custom.cubes.measures.max | The maximum number of measures allowed in a custom cube.
|
3 |
custom.models.enabled.max | The maximum number of active custom models allowed.
|
6 |
Start and stop Splunk UBA services from the command line | When jobs run in Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!