Send Splunk UBA threats to analysts using email
Send your security analysts threats from Splunk UBA to triage using email. Perform the following steps to set up an email server as an output connector in Splunk UBA:
- If your email server is using a self-signed or internal root certificate, you must Import the root CA certificate so that secure connections are trusted by Splunk UBA. You do not need to do this if your email server is using a certificate from a trusted certificate authority (CA) such as VeriSign or Thawte.
- Set up the email server as an output connector.
Your email server must support either STARTTLS or SSL in order to send emails over secure connections. Emails will not be sent over insecure connections.
Import the root CA certificate
Perform the following steps if your email server is using a self-signed or internal root CA certificate:
- Copy the root CA certificate from your email server to Splunk UBA.
- Log in to the Splunk UBA management server as the
caspida
user. - Import the root CA certificate to the Java certificate store. For example, if you copied the root CA from your email server as
cacert.pem
:
sudo keytool -import -alias "splunk smtp" -keystore /usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/cacerts -file ~/cacert.pem
If your JDK is not installed in
/usr/lib/jvm/java-1.8.0-openjdk-amd64
, perform the following steps to import the root CA certificate:- Ensure that
$JAVA_HOME
is set correctly on your system. In the following examples, replace<jdk-install-dir>
with the directory where the JDK is installed, such as/usr/lib/jvm/java-1.8.0-openjdk-amd64
.- To set the
$JAVA_HOME
in Korn and Bash shells:export JAVA_HOME=<jdk-install-dir> export PATH=$JAVA_HOME/bin:$PATH
- To set the
$JAVA_HOME
in Bourne shells:JAVA_HOME=<jdk-install-dir> export JAVA_HOME PATH=$JAVA_HOME/bin:$PATH export PATH
- To set the
$JAVA_HOME
in C shells:setenv JAVA_HOME <jdk-install-dir> setenv PATH $JAVA_HOME/bin:$PATH export PATH=$JAVA_HOME/bin:$PATH
- To set the
- Import the root CA certificate to the Java certificate store.
sudo keytool -import -alias "splunk smtp" -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/cacert.pem
changeit
. - Ensure that
Set up the email server as an output connector
Perform the following steps to set up an output connector for emails. You must provide the account name and password for the SMTP server.
- Select Manage > Output Connectors.
- Click New Output Connector.
- Select an output connector type of Email and click Next.
- Enter a Name for the email server so you can identify it in Splunk UBA.
For example, Company email server. - Enter Recipients for threat emails.
For example, the email address of a triaging security analyst or analyst group, or several email addresses separated by line breaks. - Enter your SMTP Server host name or IP address.
- Enter the SMTP Server Port to use to access the email server.
You must specify port 465 for SMTPS (SMTP over SSL) or 587 for STARTTLS. - Enter the Account Name for the email server.
For example,Org-SOC@yourorg.com
. - Enter the Account Password for the email server.
- Select the Individual Emails check box to receive an email for each threat. Deselect the check box to receive only one email for all the threats of a certain type.
For example, if Splunk UBA generates four threats for "Insider: Suspicious Behavior," four emails are sent if the check box is selected, but if the check box is deselected, one email is sent. - Check the Auto Process check box to receive notifications immediately when a threat is generated. Deselect the check box to send threats on an ad-hoc basis using the Actions menu on the Threat Details page.
- Check the Mask PII checkbox to mask PII such as usernames and IP addresses in the email. This setting only applies to auto-processed emails.
- Click OK to save the output connector for the email system.
What to expect from the emails
Threat emails sent from Splunk UBA contain the following information.
- A subject of [Uba threat] and the name of the threat type. For example, [Uba threat] Insider: Suspicious Behavior.
- A link to open the threat in Splunk UBA.
- A short description of the threat including the threat type, risk score and severity level, summary, and description of the threat.
- The time that Splunk UBA detected the threat, and when the threat was last updated, for example, with new anomalies.
- Recommendations for the next steps in response to the threat.
- Names and IP addresses of users, devices, and other actors involved in the threat.
Send Splunk UBA data to Splunk Enterprise Security | Send threats from Splunk UBA to ServiceNow |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!