Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Identify assets in your environment

Asset data refers to information about the devices that are owned by your company. Splunk UBA ingests asset data from Splunk Enterprise daily using asset lookup queries. Splunk UBA uses this predefined device information in the following ways:

  • An in-memory cache is used to store some of the asset lookup results, which are used by Splunk UBA to perform device resolution. For more information on how Splunk UBA uses asset data to resolve device names, see Device resolution in Splunk UBA in Use Splunk User Behavior Analytics.
  • Exclude devices such as domain controllers, exchange servers, file servers, print servers or proxy servers that are not associated with a specific user.
  • Display additional metadata for devices in the system.

You can update the asset data information in Splunk UBA using one of the following methods:

Prerequisites for performing asset identification

You must perform asset identification after HR data is loaded into Splunk UBA, but before any event data is loaded.

In addition, verify the following on Splunk Enterprise:

  • The ldapsearch command must be available and capable of accessing the LDAP server. The ldapsearch command is used by the asset domain controller query to identify and exclude the domain controllers in your environment. See Perform asset identification by using the Splunk Assets data source.

    Splunk UBA cannot obtain domain controller information in Splunk Cloud Platform environments.

  • If you have Splunk Enterprise Security (ES), the asset table must be reachable through Splunk Enterprise. Access to the asset table is required to access the asset database.
  • References to indexes and sources of Windows Security events in Splunk Enterprise must be available. Splunk UBA's asset proxy query makes use of Windows events 4624 and 4769 to identify and exclude proxy servers in your environment. See Perform asset identification by using the Splunk Assets data source.

Not all data at your site might be properly processed. In some cases, you might receive an error message in Splunk UBA, and in others, only in the log file.

Asset data fields

Assets in Splunk UBA can be searched using the fields below.

Field Data Type Description Example
hostname string Required. The hostname of the device. server1
denyListDeviceIr boolean Recommended. Indicates whether or not any IP addresses are associated with the MAC address for this device. Set to true to prevent any IP addresses from being associated with the MAC address for this device. See Exclude identity resolution for devices or users. false
denyListUserIr boolean Recommended. Indicates whether or not any users are associated with this device. Set to true to prevent any users from being associated with this device. See Exclude identity resolution for devices or users. false
app string The application name. Database
asset_tag string The asset ID on the physical asset tag such as a sticker that is typically placed on each device in your organization. 123456
bunit string The business unit that the device belongs to. EMEA, NorCal
city string The city where the device is located. Chicago
cost_center string The cost center that the device belongs to. SP01FIN
country string The country where the device is located. USA
created_by string The name of the user who created the device in the system. DevOps
department string The department that the device belongs to. Field Reps, ITS, Products, HR
deviceType string The type of device. client
dns_domain string The domain of the device. www.acmetech.org
dns string The FQDN of the device. server1.corp1.acmetech.org
ip array The IP address of the device. The field can contain multiple values. See Configure asset ingestion for multi-valued fields. 2.1.1.1
is_expected boolean Indicates whether or not this device is always expected. Alerts are generated if this device stops reporting events. true
latitude string The latitude location of the device. 37.780080
longitude string The longitude location of the device. -122.420170
mac array The MAC address of the device. The field can contain multiple values. See Configure asset ingestion for multi-valued fields. 00:50:ef:84:f1:21|00:50:ef:84:f1:20
managed_by string The manager of the device. admin
os string The operating system running on the device. macOS, WIndows
os_domain string The OS domain of the device. Windows
owner string The owner of the device. f.prefect@acmetech.org, DevOps, Bill
pci_domain string The PCI address domain of the device. dmz, untrust
serial string The serial number of the device. AB1C24D5EFGH
status string The hexadecimal Windows status code for the device. 0XC0000234 (user is currently locked out)
substatus string The hexadecimal sub-status code for the device. 0XC000006D (invalid username or authentication)
sys_created_on timestamp The date and time stamp of when the device was first entered into the system. The format is MM/DD/YYYY. 05/01/2019
sys_updated_on timestamp The data and time stamp of the last time the device was updated. For example, a laptop might be assigned to a new owner. The format is MM/DD/YYYY. 05/01/2019

Configure asset ingestion for multivalue fields

Some assets can have multiple values in a field, such as multiple IP addresses or MAC addresses. Splunk UBA creates separate devices for each IP address or MAC address if the addresses are separate by commas, as shown in the following example:

192.168.10.10,192.168.10.20,192.168.10.30

For data sources such as Splunk Enterprise Security (ES) that use a delimiter other than a comma, update the attribution.keyvalue.delimiter property in the /etc/caspida/local/conf/uba-site.properties file to specify the desired delimiter.

For example, perform the following tasks to specify that multiple IP and MAC addresses are separated using a pipe (|) character instead of a comma:

  1. Log in to the management node of your Splunk UBA deployment as the caspida user.
  2. Edit the /etc/caspida/local/conf/uba-site.properties file and add or edit the attribution.keyvalue.delimiter property so it looks like the following:
    attribution.keyvalue.delimiter=Device.ip=\\|,Device.mac=\\|
    Attribute element Description
    Device.ip The ip attribute of Device attribution. This element is case-sensitive.
    Device.mac The Mac attribute of Device attribution. This element is case-sensitive.
    \\| The regex of the desired delimiter.

    This example takes the IP addresses 192.168.10.10|192.168.10.20|192.168.10.30 and stores them as follows in Splunk UBA:

    {192.168.10.10,192.168.10.20,192.168.10.30}
    Remove or comment out the attribution.keyvalue.delimiter property to use a comma as the delimiter for multivalue fields.
  3. Synchronize your Splunk UBA cluster after making any changes to your uba-site.properties file:
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf

Perform asset identification by using the Splunk Assets data source

After you meet the requirements for performing asset identification, you can begin asset identification by using the Splunk Assets data source.

Perform the following tasks to configure a Splunk Assets data source in Splunk UBA.

  1. In Splunk UBA, select Manage > Data Sources.
  2. Click New Data Source.
  3. Scroll down to the Device Attribution section, select Splunk Assets, and then click Next.
  4. Enter the connection details to the Splunk platform, and then click Next. If you are connecting to Splunk ES, specify the Splunk ES search head as the URL of the data source.
  5. A sample query sourcetype=WinEventLog:Security is populated in the Query field to get AD multiline events. If you have AD XML events in your environment, change the query accordingly, such as sourcetype=XmlWinEventLog. You must validate that this query is returning the desired AD events in your environment. This query is used by the asset proxy query to identify and exclude the proxies in your environment.
  6. In the Domains field, specify a comma-separated list of domains in your environment. This list of domains is used by the assets domain controller query to identify and exclude the domain controllers in your environment.
  7. In the Schedule field, specify the frequency with which asset queries are run. The frequency interval begins when the data source is configured. For example, if you finish configuring the data source at 3:30PM and you select Daily as the frequency, Splunk UBA refreshes the asset data each day at 3:30PM.
  8. Click OK.

After the data source is configured, Splunk UBA performs asset data queries at the scheduled interval using the following queries:

Query Description
Asset domain controller query This query is located in /opt/caspida/conf/asset_dc_query.txt and performs an ldapsearch to identify and exclude the domain controllers in your environment. This query uses the domains specified in the Domains field when configuring a Splunk Assets data source.
Asset ES query This query is located in /opt/caspida/conf/asset_es_pull_query.txt and uses the assets macro to obtain the assets data in Splunk ES.
Asset proxy query There are two queries:
  • /opt/caspida/conf/asset_proxy_query_multiline.txt for AD multiline format.
  • /opt/caspida/conf/asset_proxy_query_xml.txt for AD XML format.

The proxy query performs an SPL search of your Windows Event Security logs to identify and exclude proxy servers. The search that is run depends on the setting of the assets.proxy.query.adformat property. By default, this property is set to MULTILINE in /opt/caspida/conf/uba-default.properties. Splunk UBA runs the query in asset_proxy_query_multiline.txt to find and exclude proxy servers.

If you have XML format Windows Event Security logs, perform the following tasks:

  1. Log in to the management node in your Splunk UBA deployment as the caspida user.
  2. Add the assets.proxy.query.adformat property to the /etc/caspida/local/conf/uba-site.properties file.
  3. Set the property to XML:
    assets.proxy.query.adformat = XML
  4. Save and exit the file.
  5. In distributed deployments, synchronize the cluster:
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  6. Restart the job manager:
    sudo service  caspida-jobmanager stop
    sudo service  caspida-jobmanager start
    

Perform asset identification by using a CSV file

Perform asset identification by using a CSV file when you are not able to perform direct searches. Perform the LDAP query to create a lookup CSV file, then use the CSV file in a lookup query.

Use the following example as a guideline, and replace the commands and transformations as needed for your environment.

Perform the following steps:

  1. To create a Splunk Assets data source, see Perform asset identification by using the Splunk Assets data source .
  2. Schedule an LDAP query as a job to run every night around 10:00 PM local time. See Scheduling searches in the Splunk Enterprise Search Manual.
  3. Specify an LDAP query such as shown in the following example and create the CSV file:

    | ldapsearch domain=<domain-name> search="(&(objectCategory=computer)(sAMAccountName=*))" attrs="accountExpires,cn,countryCode,dNSHostName,department,description,distinguishedName,division,isCriticalSystemObject,lastLogoff,lastLogon,lastLogonTimestamp,localPolicyFlags,logonCount,name,objectCategory,objectGUID,objectSid,operatingSystem,operatingSystemVersion,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType,userAccountControl,whenChanged,whenCreated" | outputlookup uba_ldapsearch_computers.csv | stats count

    Be sure to replace domain-name with an appropriate domain name for your environment.

  4. Make local copies of the existing asset configuration files and put them in the /etc/caspida/local/conf folder:
    cp -a /etc/caspida/conf/asset_* /etc/caspida/local/conf/.
  5. For each asset configuration file add a lookup query such as shown in the following example to /etc/caspida/local/conf/asset_dc_query.txt:

    | inputlookup uba_ldapsearch_computers.csv | fields - _raw | rex max_match=0 field=distinguishedName ".*?OU=(?<groups>[^,=]+),.*?" | eval deviceType=mvjoin(groups, " - ") | rename name as hostname, dNSHostName as dns, operatingSystem as os, countryCode as country, whenCreated as sys_created_on, whenChanged as sys_updated_on | eval blackListUserIr=IF((lower(deviceType)="domain controllers" OR like(lower(deviceType), "%prox%") OR like(lower(deviceType), "%exch%") OR like(lower(deviceType), "%dns%") OR lower(deviceType)="azurecoread"),"true","false") | table accountExpires,blackListUserIr,cn,country,department,description,deviceType, distinguishedName,division,dns,hostname,isCriticalSystemObject,lastLogoff,lastLogon, lastLogonTimestamp,localPolicyFlags,logonCount,objectCategory,objectGUID,objectSid, operatingSystemVersion,os,primaryGroupID,pwdLastSet,sAMAccountName,sAMAccountType, sys_updated_on,sys_created_on,userAccountControl

  6. Repeat step 5 for the other two asset configuration files /etc/caspida/local/conf/asset_es_pull_query.txt and /etc/caspida/local/conf/asset_proxy_query.txt with valid queries that return no results.
    For example:

    | inputlookup uba_ldapsearch_computers.csv | search deviceType="abc"

  7. Restart the job manager:
    sudo service  caspida-jobmanager stop
    sudo service  caspida-jobmanager start
    

View assets in your environment

Select Manage > Assets to view the assets identified in your environment.

Use Add Filter to limit the devices shown on this page.

Last modified on 09 December, 2023
Make changes to your HR data   Exclude identity resolution for devices or users

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters