Splunk® User Behavior Analytics

Send and Receive Data from the Splunk Platform

Send Splunk UBA user and device association data to Splunk ES

These steps apply to Splunk UBA version 5.4.1 and Splunk Enterprise Security version 8.0.x. If you are not on Splunk Enterprise Security version 8.0.x, use the steps in the Splunk UBA version 5.4.0 of this document. See Send Splunk UBA user and device association data to Splunk ES.

You can set up Splunk User Behavior Analytics (UBA) to send user and device association data to Splunk Enterprise Security (ES). User and device association data from Splunk UBA is visible on the Session Center dashboard in Splunk ES. See Session Center dashboard in the Use Splunk Enterprise Security manual.

For Splunk UBA version 5.4.0 and higher, the Splunk ES account being used for UBA-ES integration must have the edit_token_http capability.

Set up authentication between UBA and Splunk ES

Complete these tasks to set up authentication between UBA and Splunk ES:

  1. Add a new user to UBA.
  2. Add new credentials for UBA input in Splunk Enterprise Security.

Add a new user to UBA

You must have a ubaesuser in UBA to authenticate requests from the SA-UEBA app. Complete the following steps to add this user:

  1. Log in to the Splunk UBA management server.
  2. In Splunk UBA, select Manage > UBA Accounts.
  3. Select New User Accounts and add a new user.
  4. Add a new user. The user name must be ubaesuser.
  5. Provide the role of user.
  6. Provide the password and create the user.

Add new credentials for UBA input in Splunk ES

Splunk ES uses a specific local UBA username and password authentication to integrate with UBA. See Manage credentials in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.

  1. In Splunk ES, select Configure > General settings > Credentials.
  2. Select New Credential.
  3. Input the Username as ubaesuser.
  4. Input the Realm as uba.
  5. Input the password for the ubaesuser user that you set up in the previous section. Input this password again to confirm.
  6. Select the SA-UEBA app.
  7. Select Save.

For the integration to work correctly, this ubaesuser user needs to exist in both UBA and Splunk ES. If the password for this user needs to change, it must be changed in both places.

Change a property in UBA

  1. Log in to the UBA management server as the caspida user using SSH.
  2. Open the /etc/caspida/local/conf/uba-site.properties file.
  3. Edit or create the identity.resolution.export.enabled setting and set it to true:
    identity.resolution.export.enabled=true
  4. Restart the UBA web interface service for the changes to take effect:
    sudo service caspida-ui stop
    sudo service caspida-ui start
    

Set up UBA in Splunk ES

  1. In Splunk ES select Configure > UBA Setup.
  2. Turn on Identity Integration.
  3. In the Server Address field input the UBA host with http or https. No port number is required.
  4. Save the changes.

    A restart of your Splunk instance is required.

View user and device association information from UBA in Splunk ES

Follow these steps to view UBA user and device association information in Splunk ES:

In UBA the available entity types are Generic, Device, and User. In Splunk ES only Device and User are available.

  1. In Splunk ES go to Security Domains > Identity > Session center – User Behavior Analytics. Without any search criteria, and with only the search entity type (User/Device), all the entries do not appear in the search under the UBA tab in the ES interface.
  2. From the Select entity type drop-down menu select User or Device and a time frame to see the associations.
Last modified on 31 October, 2024
Send Splunk UBA audit events to Splunk ES  

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters