Get data into Splunk UBA

Splunk UBA uses data from the Splunk platform to identify potential insider and external threats to your environment. Work with Splunk Professional Services to get started with importing important data sources and filtering events.

Before you begin

Before you add data sources to Splunk UBA, run the following script to verify that the software is working correctly and is properly configured:

/opt/caspida/bin/utils/uba_pre_check.sh

The script checks the status of the following configurations:

• Admin users are correctly identified and normalized.
• Email is set up to send alerts, changes made for the geolocation on the UI, internal domains /etc/caspida/local/conf/uba-site.properties file.
• Internal IPs are set up /etc/caspida/local/conf/etl/configuration/EntityValidations.json file.
• Competitive domains are set up in the /etc/caspida/local/conf/competitorDomains.txt file.
• Verify network access to Google Maps, VirusTotal, WHOIS, MaxMind external services.

Add data sources to Splunk UBA

Complete the following steps to properly get data into Splunk UBA.

1. Verify you have the correct permissions. See Requirements for connecting to and getting data from the Splunk platform.
2. (Optional) See which data source types are supported in Splunk UBA. See View supported data source types and prepare to add data sources to Splunk UBA.
3. Get HR data into Splunk UBA. See Get HR data into Splunk UBA.
4. Get assets and identity data into Splunk UBA. See Identify assets in your environment.
5. Configure allow lists and deny lists in Splunk UBA for domains, IP addresses, or users. See Use allow and deny lists to generate or suppress anomalies.
6. Get data from the Splunk platform into Splunk UBA. See Use connectors to add data from the Splunk platform to Splunk UBA. You can get started with a smaller dataset before ingesting all of your data. See Get started with a small dataset.
7. Review and verify your data sources. See Verify that you successfully added the data source.

View supported data source types and prepare to add data sources to Splunk UBA

Before you add new data sources, review the types of data that you want to add and determine which ones Splunk UBA supports. See Which data sources do I need?.

Perform the following steps to view the data source types supported by Splunk UBA:

1. In Splunk UBA, select Manage > Data Sources.
2. Click New Data Source.
3. Review the data source types on the Data Source Type page. The supported data source types that can be added to Splunk UBA are listed on this page.

After you determine which data sources you can add, make sure that existing event filters do not affect the new data sources. Review the existing event filters to check for settings that negatively affect future data uploads. For example, an event filter that excludes source_IP data from one data source will affect the new data source. Modify the filters as needed as new data sources are added.

Splunk UBA provides support for English language logs only.

Get started with a small dataset

Get started with a smaller set of data before working in a full production environment. This is useful for verifying that the data coming into Splunk UBA is properly configured and mapped so that you see the desired anomalies and threats.

There are several ways to use a small dataset to get started in Splunk UBA:

• You can add data from a file to test on a small scale. See Add file-based data sources to Splunk UBA.
• You can add data from Splunk software to Splunk UBA in test mode, where Splunk UBA analyzes a sample set of data from the data source. See Add data sources to Splunk UBA in test mode.
• You can create an event filter, which is useful for limiting or targeting the data you are analyzing. You can apply filters to include or exclude devices or users. See Filter events analyzed by Splunk UBA for anomalies.