Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Add custom data to Splunk UBA using the generic data source

Use the generic data source type in Splunk UBA to add data that is not CIM compliant and not supported by any of the Splunk UBA native parsers.

For example, you might want to add add credit card authorization and transaction data, and use the custom use case framework to develop custom models to raise anomalies. See What is the custom use case framework?

Credit card data is not CIM compliant, and Splunk UBA does not have a native parser to support this data format using the Splunk Raw Events data type.

Perform the following tasks to get custom data into Splunk UBA as a generic data source.

Access the Data Source Type wizard

  1. In Splunk UBA, select Manage > Data Sources.
  2. Click New Data Source and complete the pages in the wizard to configure the data source.

Follow the Data Source Type wizard steps

  1. Step 1 of 7: Data Source Type
    Select a data source type of Splunk and click Next.
  2. Step 2 of 7: Connection
    1. Specify a name for the data source, such as SplunkEnterprise. The data source name must be alphanumeric with no spaces or special characters.
    2. Type a connection URL that matches the URL for your Splunk platform or Enterprise Security search head and management port, for example, https://splunksearchhead.splunk.com:8089. If you have search head clustering configured and a load balancer is available, you can specify the load balancer host name to avoid a single point failure. Ensure that port 8089 is accessible on the load balancer.
    3. Type the username and password for the Splunk platform account.
    4. Leave the default Connector Type of Splunk Direct.
    5. Click Next.
  3. Step 3 of 7: Time Range
    1. Select a time range.
      • To retrieve data using time-based micro batch queries, select Live and All time. See How data gets into Splunk UBA.
      • To retrieve data at a regular interval defined by a time window, select Live and Time Window and specify a time period.
      • To add historical data from the Splunk platform, select Date Range and select a calendar date range.
    2. Click Next.
  4. Step 4 of 7: Events to Process
    1. Select Splunk Query and enter a search in the field to identify the source type.
    2. Click Next.
  5. Step 5 of 7: Data Format
    1. Select Single Format.
    2. Select the GENERIC format from the drop-down list of formats.
    3. Click Next.
  6. Step 6 of 7: Splunk Query
    Review the Splunk search created by the wizard. If you want, run the search in the Splunk platform to verify that the data output matches what you expect to see.
    The source type in the Splunk platform appears on threats and anomalies in Splunk UBA. If you want to alias the source type to a more meaningful or accurate value, add an eval statement to the search to set the source type value to a custom value:
    | eval sourcetype="Your Custom Value"

    If subsearches are used, wrap the square parenthesis with "( and )" whenever possible, as shown in the following example:
    (index=*default sourcetype=newdatasource) NOT ([| inputlookup logging1.csv]) NOT ([| inputlookup logging2.csv]) NOT ([| inputlookup logging3.csv | rename dest as src]) | eval action="allowed", eventtype=category | fields action,alarmCategories,bytes,bytes_in,bytes_out,category, dest_host,dest_ip,dest_port,duration,eventtype, ids_type,severity,signature,sourcetype,src_host,src_ip,src_port,tag,user

  7. Step 7 of 7: Test Mode
    To add the data source in test mode, leave the check box selected. See Add data sources to Splunk UBA in test mode.
  8. Click OK to save the data source.
Last modified on 10 July, 2024
Add raw events from the Splunk platform to Splunk UBA   Send data from the Splunk platform directly to Kafka

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters