Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Which data sources do I need?

Before adding data sources to Splunk UBA, review the tables to find which data source types you may need to unlock desired use cases and detections.

Required data sources for Splunk UBA to identify users and devices

Human resources (HR) data and assets data are required for Splunk UBA to generate high-fidelity anomalies and threats.

Data Source How does Splunk UBA use this data?
HR data from your HR system HR data is required and must be the first data source ingested in Splunk UBA. HR data contains information about the accounts being tracked by Splunk UBA. HR data is required by Splunk UBA to identify accounts and categorize account types, then associate each account with a human user. See Why Splunk UBA requires HR data for more information.
Assets data from your configuration management database (CMDB), Splunk Enterprise Security (ES), or Active Directory (AD) Assets data is required and must be the second data source onboarded, immediately after HR data. Assets data contains information about the devices in your environment. Assets data is required by Splunk UBA to track the behavior of assets in your system, display additional metadata for known entities, and allow blacklisting of devices that should not be associated with users. Splunk UBA requires assets data with DNS to properly perform device identify resolution. See Identify assets in your environment for more information.

See Ingest HR data and assets data using a dedicated source type for information about how to ingest these data sources.

Data sources for Splunk UBA to perform identity resolution

Splunk UBA performs identity resolution to find the real-time associations between IP addresses, host names, and users. Splunk UBA maintains these associations over time and also allows you to prevent anomalies from being generated for specific users and devices. See Exclude identity resolution for devices or users for more information.

The most accurate identity resolution is achieved by having all of the data sources in the table, and you must have at least one. The absence of a data source, such as DNS, does not prevent Splunk UBA from performing identity resolution, but may affect whether or not entities are properly mapped or whether the mappings are maintained over time.

Splunk UBA uses the following data sources to perform identity resolution:

Data Source How does Splunk UBA use this data?
Authentication Splunk uses login events in authentication data to perform the following entity mappings:
  • IP addresses to hostnames
  • IP addresses to user accounts
  • Hostnames to user accounts
DNS Splunk UBA uses DNS query response data to map IP addresses to hostnames.
DHCP Splunk UBA uses log entries from new, renewed, or released leases to perform the following mappings:
  • IP address to MAC address
  • IP address to hostname
VPN Splunk UBA uses login and logout events in VPN data to map IP addresses to users.

See Which connector should I use for a particular data source? for information about how to ingest each data source.

Data source types for use cases in Splunk UBA

After the required data sources are in Splunk UBA, ingest additional data sources to unlock detections for a variety of use cases in Splunk UBA. Splunk UBA provides the following use cases by default.

Splunk UBA Use Case Description Typical Contributing Factors and Data Sources
Account Misuse Accidental misuse and deliberate abuse of superuser privileges yield critical compliance and privacy risks with potentially severe financial consequences and damage to your company's reputation. Splunk UBA baselines the regular behavior of each accounts and identifies abnormalities that may indicate excessive usage, rare access, potential sabotage, or covering tracks. Splunk UBA's confidence grows as a user's activity deviates from the user's peer group profile and the enterprise profile. The higher the confidence, the higher the risk. Examples of such detections include using service accounts to do VPN or interactive logins, data snooping, deleting audit logs, and accessing confidential information. Data sources such as:
Compromised User Account Splunk UBA identifies situations where user credentials have been stolen and are being used by someone other than the authorized human user or application. This use case can also detect shared account usage and generic account abuse. Splunk UBA uses behavior modeling to identify any deviation of user activity from normal thereby indicating that someone other than the legitimate owner is operating the account. Detection encompasses identifying unusual or malicious AD activity such as operations on self, terminated users, disabled accounts, and account recovery. Data sources such as:
Compromised and Infected Machine Splunk UBA can identify compromised network endpoints that are infected by malware or are otherwise behaving suspiciously. This differs from the Compromised User Account use case in that malicious activity might be detected on a host but not necessarily linked to a specific user account. For example, command and control traffic can be identified from a system where no user is currently logged in. Behavior-based modeling enables Splunk UBA to identify malware activity irrespective of the delivery mechanism of initial infection. The detection techniques include tracking changes in communication patterns of devices, the nature of communication with external domains or IPs, or characteristics of the domains. Data sources such as:
Contextual Intelligence Splunk UBA learns a lot about users and entities in the organization to identify anomalies that could be linked to threats. This information is extremely useful for analysts performing alert triage and incident investigations. For example, if an analyst suspects that an endpoint has been compromised, the analyst can use Splunk UBA to learn about that desktop's users, their regular behavior, and even the role of that endpoint in the network. For example, is the endpoint a server or a workstation, and is it used for system administration or business functions? Identity resolution, device profiler models, and data sources such as:
Data Exfiltration Unauthorized or malicious data exfiltration may occur even by action of authorized users. As a result, this use case is focused on identifying this type of activity, which is necessary even when the ability to detect compromised accounts and endpoints is in place. Splunk UBA detects loss or theft of private and confidential data out of enterprise across multiple threat vectors such as network security infrastructure including firewall and proxies, online cloud storage, attached storage including USB devices, and email. Data sources such as:
Lateral Movement Lateral movement involves a trusted insider scanning and expanding access across multiple resources. Detection techniques such as rare access or expanding resource usage are used to identify lateral movement. Resources here can be machines, network file shares, box folders etc. Accesses can either be network scans, brute force logins or legitimate logins. Data sources such as:
Suspicious Behavior / Unknown Threats In cases when there are not enough pre-defined signatures or correlations to cover some scenarios, Splunk UBA can effectively identify unknown scenarios by identifying anomalies based on deviations in the user or device activity in comparison with self or peer group baselines, suspicious or malicious activity, and alerts from external tools and correlating them into a threat. These suspicious account activities and unknown threats often demand further investigation and can lead to other potential threats such as malvertising, account compromise, account misuse, policy violations, or misconfiguration. The Suspicious Behavior / Unknown Threats use case is often used for content building. When an unknown scenario is detected, the scenario can be written into correlation search or threat rules for deterministic detection. A combination of high scores or large number of anomalies associated with entities.

Data source types for model-based anomalies in Splunk UBA

Before adding data sources to Splunk UBA, review this table to find which types of anomalies can be generated for certain types of data. Click on a column header to sort the table by that column topic.

Anomaly rules typically have underscore characters in their names, while models do not. For example:

  • audit_log_cleared is an anomaly rule
  • Unusual Volume of Bytes Written to USB per User Model is an anomaly model

Data entering Splunk UBA is tagged with a view, which is sort of like a category in terms of how Splunk UBA interprets the data. For example, a network event from your CIM compliant IDS/IPS logs is tagged with the Network view by Splunk UBA. See Understand data flow in Splunk UBA.

The value of the specific destination device in this event can be extracted by Splunk UBA's rules and models using view.Network.DestinationDevice. This table identifies the specific fields whose values are used by Splunk UBA's anomaly rules and models to generate anomalies. See Understanding Splunk UBA data cubes in Develop Custom Content in Splunk User Behavior Analytics for more information about extracting the values of specific fields.

Anomaly Model Data Sources View Cube Fields and Filters
Anomalous USB Activity Unusual Volume of Bytes Written to USB per User Model DLP

Endpoint
External Alarm

DLP dlpsummary_s view.*.user

view.*.user.uuid
view.data.portableDevice.deviceType
view.network.bytesFromClient

Filter:
view.data.portableDevice.deviceType='USB'

Unusual Volume of File Operations to USB per User Model DLP

Endpoint
External Alarm

DLP dlpsummary_s numEvents

view.*.user
view.*.user.uuid
view.data.portableDevice.deviceType

Filter:
view.data.portableDevice.deviceType='USB'

Blacklisted Application Fixed Patterns in Network Traffic Model Firewall AD N/A view.HTTP.getURL

view.Network.getDestinationDevice
view.Network.getSourceDevice

Filter:
Only incoming traffic is analyzed.

Blacklisted Domain Blacklisted Entity Model HTTP

DNS

DNS
HTTP
Network
semiaggr_s view.*.user.id

view.*.user.name
view.*.source.id
view.*.source.name
view.*.source.scope
view.network.destination.id
view.network.destination.name
view.network.destination.scope
view.http.url.uui
view.http.url.domainName
view.*.externalAction
numEvents

Filter:
destinationScope == 'External' or sourceScope == 'External'

Blacklisted IP Address Blacklisted Entity Model Network IDS/IPS DNS
HTTP
Network
semiaggr_s
Download From Internal Server Unusual Volume of Data Downloaded from Internal Server Per User Model Firewall Firewall semiaggr_s view.*.source.isPermanent

view.*.user
view.*.user.uuid
view.network.bytesToClient
view.network.destination.isPermanent
view.network.destination.scope
view.network.transfer

Filter:
(view.network.destination.scope is not null) AND (view.*.source.isPermanent = true) AND (view.network.destination.isPermanent = true)

Excessive Box Downloads Unusual Volume of Box Downloads per User Model Cloud Data CloudData fileaccess_s event.eventClass

event.format
view.*.resource.size
view.*.srcUser
view.*.srcUser.uuid

Filter:
event.format = 'Box'

Excessive Data Printed Unusual Volume of Data Printer per User Model Printer Printer printerdata view.*.User

view.*.User.uuid
view.printer.fileSize

Excessive Data Transmission Unusual Volume of Data Uploaded per User Model Network IDS/IPS

Firewall

Firewall semiaggr_s view.*.user

view.*.user.uuid
view.http.url.domainName
view.network.bytesFromClient
view.network.destination
view.network.destination.scope

Filter:
(view.http.url.domainName is not null) OR (view.network.destination is not null)

Unusual Volume of Data Uploaded per User Model (uses Connection Profiling) Network IDS/IPS

Firewall

Firewall semiaggr_s view.*.user

view.*.user.uuid
view.network.bytesFromClient
view.network.destination.scope
view.network.transfer

Filter:
view.network.destination.scope is not null

Unusual Volume of Data Uploaded per Device Model Network IDS/IPS

Firewall

Firewall semiaggr_s view.*.source

view.*.source.isPermanent
view.*.source.uuid
view.http.url.domainName
view.network.bytesFromClient
view.network.destination
view.network.destination.scope

Filter:
(view.http.url.domainName is not null OR view.network.destination is not null) AND view.*.source.isPermanent = true

Unusual Volume of Data Uploaded per Device Model (uses Connection Profiling) Network IDS/IPS

Firewall

Firewall semiaggr_s view.*.source

view.*.source.isPermanent
view.*.source.uuid
view.network.bytesFromClient
view.network.destination.scope
view.network.transfer

Filter:
(view.network.destination.scope is not null) AND view.*.source.isPermanent = true

Excessive Database Administration Tasks Unusual Volume of Admin commands per User Model Database Database databasesummary numEvents

view.database.commandName
view.database.databaseUser
view.database.databaseUser.uuid

Filter:
view.database.commandName in ('Abort', 'UCAbort')

Excessive Database Help Actions Unusual Volume of Help commands per User Model Database Database databasesummary numEvents

view.database.commandName
view.database.databaseUser
view.database.databaseUser.uuid

Filter:
view.database.commandName like '%Help%'

Excessive Database Permission Grants Unusual Volume of Grants per User Model Database Database databasesummary numEvents

view.database.commandName
view.database.databaseUser
view.database.databaseUser.uuid

Filter:
view.database.commandName like '%Grant%'

Excessive Database Records Deleted Unusual Volume of Database Records Deleted per User Model Database Database databasesummary view.database.commandName

view.database.databaseUser
view.database.databaseUser.uuid
view.database.recordsAffected

Filter:
view.database.commandName rlike '^(Drop|Delete|Truncate).*$'

Excessive Database Records Modified Unusual Volume of Database Records Modified per User Model Database Database databasesummary view.database.commandName

view.database.databaseUser
view.database.databaseUser.uuid
view.database.recordsAffected

Filter:
view.database.commandName in ('Alter Table', 'Merge Into', 'Replace View', 'Update')

Excessive Database Records Read Unusual Volume of Database Records Read per User Model Database Database databasesummary view.database.commandName

view.database.databaseUser
view.database.databaseUser.uuid
view.database.recordsAffected

Filter:
view.database.commandName in ('Select', 'Show')

Excessive Downloads via VPN Unusual Volume of VPN Traffic per User Model VPN Network semiaggr_s view.*.user

view.*.user.uuid
view.authentication.loginServerType
view.network.bytesToClient

Filter:
view.authentication.loginServerType = 'VPN'

Excessive File Size Change Excessive File Size Change Model Cloud Data

Network IDS/IPS
Authentication

CloudData fileaccess_s view.*.srcUser.name

view.*.srcUser.id
view.*.resource.name
view.*.resource.size
view.*.resource.id
view.*.resource.type
view.*.parentPath.fileName
view.*.parentPath.id
event.eventClass
view.*.dstUser.name
view.*.dstUser.id

External Alarm Activity. See About the External Alarm and External Alarm Activity anomalies in Splunk UBA for more information. External Alarm Analysis Model External Alarm ExternalAlarm externalalarms event.eventClass

view.*.riskClassification
view.*.externalAction
view.*.timeSlot
numEvents
view.*.alarmCategories
view.*.user.id
view.*.user.name
view.*.origin
view.*.origin.id
view.*.destination.id
view.*.destination.name
view.*.application.id
view.*.application.name

External Website Attack Suspicious Patterns in Incoming Web Traffic Model HTTP Network N/A view.Network.source.{name, scope}

view.Network.destination.{name, scope}
view.HTTP.URL.host

Filter:
Only events with Network view are analyzed.

Land Speed Violation Land Speed Violation Model Authentication Authentication N/A view.Network.source.{name, scope}

view.Network.destination.{name, scope}
view.Authentication.isLoginEvent
view.Authentication.ServerType

Filter:
Only incoming events with Authentication View, isLoginEvent = True, and ServerType = VPN

Machine Generated Beacon Web Beaconing Detection Model HTTP AD windowsevents view.HTTP.URL

view.HTTP.URL.Host
view.HTTP.URL.Address
view.HTTP.URL.Path
event.TimeInMilliSeconds
view.HTTP.Method
view.HTTP.ClientIp
view.HTTP.BytesSent
view.HTTP.PeeringHost
view.HTTP.MediaType
view.HTTP.Application
view.HTTP.ExternalAction
view.HTTP.ClientIp.UUId

Filter:
view.http.URL.Host != null. AND view.http.URL != null AND view.http.ClientIp.DeviceScope == Internal

Malicious AD Activity Fixed Patterns in Microsoft Windows Logs Model AD (Windows Security Events). See Add Windows events to Splunk UBA. AD N/A event.getToken("evid")

view.*.user
view.Authentication.getLoginType
view.*.returnCode
event.getToken("authenticationpackage")
event.getToken("targetaccountname")
event.getToken("accountname")
view.*.accountDomain
view.*.application

Filter:
data format is "AD"

Multiple Authentication Errors Unusual Volume of Authentication Failure Events per User Model Authentication Authentication authenticationevents view.*.user

view.*.user.uuid
view.authentication.isFailedLogin
view.authentication.isLogin

Filter:
view.authentication.isLogin > 0

Multiple Authentications Unusual Volume of Authentication Events per User Model Authentication Authentication authenticationevents event.eventClass

view.*.user
view.*.user.uuid
view.authentication.isFailedLogin
view.authentication.isLogin

Filter:
view.authentication.isLogin > 0 AND event.eventClass != 'FailedLogin'

Multiple Badge Accesses Unusual Volume of Badge Accesses per User Model Badge Access BadgeAccess badgeaccess numEvents

view.*.user
view.*.user.uuid

Multiple Box Login Errors Unusual Volume of Box Login Failure Events per User Model Cloud Data CloudData semiaggr_s event.eventClass

event.format
view.*.user
view.*.user.uuid
view.authentication.isFailedLogin
view.authentication.isLogin

Filter:
event.format = 'Box' AND view.authentication.isLogin > 0 AND (event.eventClass = 'FailedLogin' OR event.eventClass = 'Login')

Multiple Box Logins Unusual Volume of Box Login Events per User Model Cloud Data CloudData semiaggr_s event.eventClass

event.format
view.*.user
view.*.user.uuid
view.authentication.isLogin

Filter:
event.format = 'Box' AND view.authentication.isLogin > 0 AND event.eventClass = 'Login'

Multiple Box Operations Unusual Volume of Box Events per User Model Cloud Data CloudData fileaccess_s event.eventClass

event.format
numEvents
view.*.srcUser
view.*.srcUser.uuid

Filter:
event.format = 'Box' AND event.eventClass != 'Sync' AND event.eventClass != 'UnSync'

Multiple External Alarms Unusual Volume of External Alarms per Device Model External Alarm ExternalAlarm externalalarm numEvents

view.*.riskClassification
view.*.source.isPermanent
view.*.user
view.*.user.uuid

Filter:
view.*.source.isPermanent = true AND view.*.view.*.riskClassification is not null AND view.*.view.*.riskClassification != 'None'

Multiple File Operations Unusual Volume of File Access Related Events per User Model Cloud Data CloudData fileaccess_s event.eventClass
view.*.resource.fileName
Multiple Login Errors Unusual Volume of Failed Login Events per User Model Authentication Authentication authenticationevents view.*.user

view.*.user.uuid
view.authentication.isFailedLogin
view.authentication.isUserLogin

Filter:
view.authentication.isUserLogin > 0

Multiple Logins Unusual Volume of VPN login Events per User Model Authentication Authentication authenticationevents view.*.user

view.*.user.uuid
view.authentication.isFailedLogin
view.authentication.isUserLogin
view.authentication.loginServerType

Filter:
view.authentication.isUserLogin > 0 AND view.authentication.isFailedLogin = 0 AND view.authentication.loginServerType = 'VPN'

Multiple Outgoing Connections Unusual Volume of Outgoing Connections per Device Model Firewall numEvents

view.*.source
view.*.source.isPermanent
view.*.source.uuid
view.network.destination.scope

Filter:
(view.network.destination.scope = 'External') AND view.*.source.isPermanent = true

Unusual Volume of Outgoing Connections per User Model Firewall numEvents

view.*.user
view.*.user.uuid
view.network.destination.scope

Filter:
view.network.destination.scope = 'External'

Multiple Sessions Denial Unusual Volume of Blocked Connections per User Model Firewall numEvents

view.*.externalAction
view.*.user
view.*.user.uuid
view.network.destination.scope

Filter:
view.network.destination.scope = 'External' AND view.*.externalAction = 'Denied'

Unusual Volume of Blocked Connections per Device Model Firewall numEvents

view.*.externalAction
view.*.source
view.*.source.isPermanent
view.*.source.uuid
view.network.destination.scope

Filter:
view.network.destination.scope = 'External' AND view.*.externalAction = 'Denied' AND view.*.source.isPermanent = true

Period with Unusual Windows Security Event Sequences Active Directory Markov-Chain Correlation Model AD (Windows Security Events). See Add Windows events to Splunk UBA. AD AdPstIOC

AdPstModelReady

Potential Data Staging Unusual Volume of Data Uploaded to DMZ Devices per User Model External Alarm

Network IDS/IPS
Firewall

view.*.source.isPermanent

view.*.user
view.*.user.uuid
view.network.bytesFromClient
view.network.destination.scope
view.network.transfer

Filter:
(view.network.destination.scope is not null) AND view.*.source.isPermanent = true

Potential Webshell Activity Web Shell Model HTTP HTTP N/A view.HTTP.URL.Host

view.HTTP.URL.Name
view.HTTP.URL.Path
event.TimeInMilliSeconds
view.HTTP.ClientIp
view.HTTP.BytesReceived
view.HTTP.PeeringHost
view.HTTP.MediaType
view.HTTP.ExternalAction

Filter:
view.http.URL != null && view.http.URL.Host != null

Scanning Activity Network Scanning Detection Model Firewall Network semiaggr_s
Suspicious Account Lockout Suspicious Account Lockout Model AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents view.ad.targetAccount

view.ad.eventClass
view.ad.eventStatus
view.ad.eventSubStatus

Filter:
events with event ID 4740 (account lockout), 4723 (password change), 4625 with substatus 0xC0000071 (password expiry) and 4724 (password reset)

Suspicious Data Access Box Pattern Model Cloud Data

Network IDS/IPS
Authentication

CloudData fileaccess_s view.*.srcUser

event.eventClass
view.*.resource.id
view.*.resource.name
view.*.resource.size
view.*.resource.type
view.*.parentPath.fileName
view.*.parentPath.id
view.*.destUser.name
view.*.source
view.event.application

O365 File Access Pattern Model Cloud Data

Network IDS/IPS
Authentication

CloudData fileaccess_s view.*.srcUser

event.eventClass
view.*.resource.id
view.*.resource.name
view.*.resource.size
view.*.resource.type
view.*.parentPath.fileName
view.*.parentPath.id
view.*.destUser.name
view.*.source
view.event.application

Suspicious Data Movement Device Exfiltration Model Firewall Firewall semiaggr_s view.*.application

view.firewall.destinationZone
view.network.bytesFromClient
view.data.portableDevice.deviceId

Filter:
destinationScope == 'External' and sourceScope == 'Internal'

User Exfiltration Model Firewall Firewall semiaggr_s view.*.application

view.network.destination.country
view.network.bytesFromClient
view.data.portableDevice.deviceId

Filter:
destinationScope == 'External' and sourceScope == 'Internal'

Suspicious Domain Communication Malware Communication Model Firewall

HTTP
DNS
External Alarm

Firewall
HTTP
DNS
External Alarm
N/A view.DNS.Query

view.HTTP.URL.Host
view.HTTP.ApplicationType
view.DNS.ServerDevice.Port
view.HTTP.URL.Port
view.Network.DestinationDevice.Port
view.DNS.TTL
view.Network.BytesSent
view.Network.BytesReceived
view.Network.DestinationDevice
view.Network.SourceDevice
view.*.UserIds
view.HTTP.Referrer.Host
view.HTTP.BrowserInfo
view.HTTP.Method
view.HTTP.MediaType
view.HTTP.EventReturnCode
view.HTTP.ProtocolVersion
view.HTTP.URL.getPath
view.HTTP.ContentType

Filter:
NetworkView.getDestinationDevice is external

Suspicious Domain Name Malware Communication Model HTTP

DNS

HTTP
DNS
N/A view.DNS.Query

view.HTTP.URL.Host
view.HTTP.ApplicationType
view.DNS.ServerDevice.Port
view.HTTP.URL.Port
view.Network.DestinationDevice.Port
view.DNS.TTL
view.Network.BytesSent
view.Network.BytesReceived
view.Network.DestinationDevice
view.Network.SourceDevice
view.*.UserIds
view.HTTP.Referrer.Host
view.HTTP.BrowserInfo
view.HTTP.Method
view.HTTP.MediaType
view.HTTP.EventReturnCode
view.HTTP.ProtocolVersion
view.HTTP.URL.getPath
view.HTTP.ContentType

Filter:
NetworkView.getDestinationDevice is external

Suspicious Email Suspicious Email Detection Model Email Email emailsummary view.email.sender

view.email.senderDomain
view.email.recipients
view.email.hasAttachment
view.email.subject
view.email.attachmentSize

Suspicious HTTP Redirects Browser Exploitation Model HTTP HTTP N/A
Suspicious Network Connection Network Transport Model Network IDS/IPS Everything from the Network view N/A None
Suspicious Network Exploration Users Increasing Device Access Model AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents view.ad.eventId

view.authentication.logonProcess
view.*.processName
view.ad.targetAccount.accountName
view.ad.sourceAccount.accountName
view.network.destination
view.ad.sourceDomain
view.ad.targetDomain
view.ad.rawSourceAddress
view.ad.rawTargetAddress
view.ad.rawSourceWorkstation

Filter:
dataFormat == "AD"

Suspicious New Access New Access Model for Box Cloud Data CloudData fileaccess_s view.Data.*.srcUser

view.Data.*.destUser
view.Data.*.resource.fileName
event.application
event.eventClass

Filter:
Only events with log format BOX are analyzed.

Suspicious Powershell Activity Powershell Detection Offline Model Endpoint Network PowerShellEvent
Suspicious Privilege Escalation Suspicious Privilege Escalation Model AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents view.ad.targetAccount

view.ad.sourceAccount
view.ad.adEnabledPrivileges
view.network.destination
view.ad.eventId

Filter:
eventId = '4672' AND targetAccountName is not null

Unusual Activity Time Unusual Per Day Activity Time Model, Unusual Per Week Activity Time Model Authentication

Network IDS/IPS

Authentication N/A event.TimeInMilliSeconds

event.getAnyUser

Filter:
Authentication.isUserLoginEvent = True && Authentication.isLogoutEvent = False && Authentication.getAnyUser not null

Unusual Application Scope Rare Egress Application Model External Alarm

Firewall
Network IDS/IPS

Firewall semiaggr_s view.network.source.scope

view.firewall.possibleServerPort
view.http.applicationType
view.network.destination.scope

Filter:
view.network.source.isPermanent = true && view.network.source.scope = 'Internal' && view.network.destination.scope is not null

Unusual Database Activity Rare Database Activity Model Database Database databasesummary Everything from the Database view
Unusual Entry Type Badge Reader Access Rare Badge Reader Access Model Badge Access BadgeAccess badgeaccess
Unusual Error Rare Microsoft Windows Events Model AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents
Unusual Event Rare Microsoft Windows Events Model AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents
Unusual External Alarm Rare External Alarms Model External Alarm ExternalAlarm externalalarms Everything from the External Alarm view.

Filter:
view.externalalarm.source.isPermanent = true

Unusual File Access Rare File Access Model Cloud Data

Network IDS/IPS
Authentication

CloudData fileaccess_s event.eventClass

view.event.application
view.data.srcUser
view.data.destUser

Unusual Firewall Alarm Frequent Pattern Mining of Firewall Alarms Firewall ExternalAlarm semiaggr_s view.*.source.uuid

view.*.source.scope
view.*.source.isPermanent
view.network.destination.uuid
view.network.destination.scope
view.network.destination.isPermanent
view.network.interactive
view.network.machine
event.eventClass
view.*.application.uuid
view.*.riskClassification
view.*.externalAction

Filter:
(view.*.source.scope = 'Internal' && view.*.source.isPermanent = true) OR (view.network.destination.scope = 'Internal' && view.network.destination.isPermanent = true)

Unusual Geolocation of Communication Destination Rare Destination IP Geolocation Model VPN Firewall semiaggr_s
Unusual Login Domain Rare Microsoft Windows Device Access Model Using Login Data AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents
Unusual Login Error Rare Microsoft Windows Device Access Model Using Login Data AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents
Unusual Login Process Rare Microsoft Windows Device Access Model Using Login Data AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents
Unusual Login Type Rare Microsoft Windows Device Access Model Using Login Data AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents
Unusual Machine Access Rare Microsoft Windows Device Access Model Using Login Data Authentication

Network IDS/IPS

AD windowsevents view.ad.targetAccount.accountName

view.authentication.loginType
view.authentication.logonProcess
view.*.processName
view.ad.returnCode

Rare Microsoft Windows Device Access Model Using Authentication Data Authentication

Network IDS/IPS

AD windowsevents view.ad.targetAccount.accountName

view.ad.returnCode

Unusual Network Activity Rare Port for Application Model Firewall Firewall remodelfeatures view.firewall.possibleServerPort

view.firewall.application
view.firewall.sourceZone
view.firewall.destinationZone
view.firewall.source
view.network.destination

Filter:
view.firewall.source.isPermanent = true

Rare Destination IP Geolocation Model Network IDS/IPS Firewall semiaggr_s view.network.destination.country

view.network.user
view.network.source

Filter:
view.network.destination.scope = 'External' && view.*.source.isPermanent = true

Unusual Network Activity Rare Port for Application Model Firewall Firewall remodelfeatures
Unusual Network Application Rare Port for Application Model Firewall Firewall remodelfeatures
Unusual Network Port Rare Port for Application Model Firewall Firewall remodelfeatures
Unusual Network Zone Rare Port for Application Model Firewall Firewall remodelfeatures
Unusual Process or Process Path Rare Microsoft Windows Events Model AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents
Unusual Resource Type Rare Microsoft Windows Events Model AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents
Unusual Time of Badge Access Unusual Time of Badge Access Model Badge Access BadgeAccess badgeaccess
Unusual USB Activity USB Activity Model Endpoint

External Alarm

DLP dlpsummary_s view.*.endpoint

view.*.user
view.Data.portableDevice.deviceType
view.Data.portableDevice.vendor
view.*.externalAction

Filter:
deviceType = USB and externalAction != Blocked

Unusual VPN Connection Sources Unusual Change in Ratio of Users per Remote Source in Successful VPN Authentication Events Authentication

Cloud Data
Endpoint
External Alarm
Firewall
HTTP, Network IDS/IPS
AD (Windows Security Events). See Add Windows events to Splunk UBA.

Authentication
Network
authenticationEvents view.network.server.uuid

view.network.server
view.*.destUser.uuid
view.*.destUser
view.network.source.uuid
view.network.source
view.authentication.loginServerType
view.authentication.isSuccessfulLogin

Filter:
view.authentication.loginServerType = 'VPN' AND view.authentication.isSuccessfulLogin

Unusual VPN Login Geolocation Rare VPN Login Location Model Authentication

Network IDS/IPS

Firewall semiaggr_s view.authentication.source.country

view.authentication.user
view.authentication.source

Filter:
view.authentication.loginServerType = 'VPN' && view.network.source.scope = 'External'

Unusual Web Browser Rare User Agent String Model HTTP HTTP httpsummary_s view.http.userAgentString

view.http.clientIp

Filter:
view.http.clientIp.isPermanent = true && view.http.clientIp = 'Internal'

Unusual Windows Security Event Rare Microsoft Windows Events Model AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents view.ad.processName

view.ad.eventClass
view.ad.processPath
view.ad.returnCode
view.ad.targetAccount.accountName
view.ad.resource.resourceType

Filter:
view.network.source.isPermanent = true

Unusually Long VPN Session Unusual VPN Duration Model VPN Network semiaggr_s

Data source types for rule-based anomalies in Splunk UBA

Anomaly Rule Data Sources View Cube Fields and Filters
AD Audit Log Cleared audit_log_cleared AD (Windows Security Events). See Add Windows events to Splunk UBA. AD semiaggr_s eventId
AD Recovery Account ad_recovery_account AD (Windows Security Events). See Add Windows events to Splunk UBA. AD semiaggr_s N/A
Admin Change to Self admin_changes_on_self AD (Windows Security Events). See Add Windows events to Splunk UBA. AD semiaggr_s eventId

targetuser
username
useraccount

AmplificationDOS amplification_dos_pan Firewall Firewall semiaggr_s destination

bytesin
bytesout
application

Confidential Print potential_confidential_documents_printed Printer Printer printerdata fileName
Disabled Account Activity disabled_account_activity AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents eventId

substatus
returncode

DLP Changed Name dlp_changed_name DLP DLP dlpsummary_s sourcefile

destinationfile
type

DLP File Access Peer pga_fileaccess DLP DLP dlpsummary_s sourcefile
DLP FIle Multiple Vectors dlp_source_multiple_types DLP DLP dlpsummary_s eventTypeId
DLP Multiple Files dlp_multiple_sourcefile DLP DLP dlpsummary_s sourcefile
DLP Multiple Vectors dlp_multiple_types DLP DLP dlpsummary_s eventTypeId
DLP Print Violations dlp_print_multiple_policy DLP DLP dlpsummary_s eventTypeId

policy

DLP Social and Credit dlp_ssn_and_cc DLP DLP dlpsummary_s sourcefile
DLP Unusual Vector Peer pga_dlptype DLP DLP dlpsummary_s N/A
DLP Web Personal dlp_web_personal DLP DLP dlpsummary_s destinationpath
Email Attachment Size data_transfer_over_email Email Email emailsummary attachmentSize
Email to Competitor email_to_competitor Email Email emailsummary N/A
Email to Self email_to_self Email Email emailsummary N/A
Failed Badge Accesses on Multiple Doors Failed_Badge_Entry_Multiple_Doors Badge Access BadgeAccess badgeaccess objectName
High DLP Matches daily_user_dlpmatches_anomaly DLP DLP dlpsummary_s matches
High File Writes daily_user_dlp_file_transfer_anomaly DLP DLP dlpsummary_s destinationfile
High Print Job Count daily_user_prints_anomaly Printer Printer printerdata eventTypeId
High Print Jobs Peer pga_number_of_print_jobs Printer Printer printerdata N/A
High Printer Usage Peer pga_number_of_pages Printer Printer printerdata totalPages
High USB Bytes daily_user_usb_data_transfer_anomaly DLP DLP semiaggr_s deviceType

internalaction
eventname

High USB Denials daily_user_usb_denies_anomaly DLP DLP semiaggr_s devicetype

internalaction

High USB Writes daily_user_usb_file_write_anomaly DLP DLP semiaggr_s deviceType

internalaction
eventname

Host Data Deletion csendpoint_high_datadeleton Firewall Firewall semiaggr_s N/A
Host Infection csendpoint_high_infection Firewall Firewall semiaggr_s N/A
Host Lateral Movement csendpoint_high_lateralmovement Firewall Firewall semiaggr_s N/A
HTTP Blacklisted Domain download_from_suspicious_blacklisted_domain HTTP HTTP httpsummary_s applicationtype (URL Category)

bytesout
bytesin
clientip
source
domain

HTTP Exfiltration Domain http_transfer_to_storage_site HTTP HTTP httpsummary_s applicationtype (URL Category)

bytesout
bytesin

HTTP Job Domain job_search_proxy HTTP HTTP httpsummary_s applicationtype (URL Category)
HTTP Malware Domain downlaod_from_suspicious_infection_domain HTTP HTTP httpsummary_s applicationtype (URL Category)

bytesout
bytesin
clientip
source
domain

HTTP Phishing Domain download_from_suspicious_credentialacces_domain HTTP HTTP httpsummary_s applicationtype (URL Category)

bytesout
bytesin
clientip
source
domain

HTTP Policy Domain download_from_suspicious_policyviolation_domain HTTP HTTP httpsummary_s applicationtype (URL Category)

bytesout
bytesin
clientip
source
domain

HTTP Proxy Domain usage_of_proxy_anonymizer HTTP HTTP httpsummary_s applicationtype (URL Category)

bytesout
bytesin

Local Account Created local_account_creation Windows Security Events (AD), Windows Security Events (Workstation) AD windowsevents ComputerName

AccountDomain

Multiple Failed Entry Attempts disabled_badge_access Badge Access BadgeAccess badgeaccess objectName
Multiple Password Resets password_policy_circumvention AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents N/A
Multiple Users Failed Access failed_access_multiple_users Badge Access BadgeAccess badgeaccess objectName
New AD Account new_account_detected2 AD (Windows Security Events). See Add Windows events to Splunk UBA. AD semiaggr_s N/A
PAN Evasion Domain suspicious_defenseevasion_uri_pan Firewall Firewall semiaggr_s category
PAN High Risk Domain suspicious_policyviolation_uri_pan Firewall Firewall semiaggr_s category
PAN Job Search job_search_pan Firewall Firewall semiaggr_s category
PAN Malware Domain malicious_infection_uri_pan Firewall Firewall semiaggr_s category
PAN Phishing Domain malicious_credentialaccess_uri_pan Firewall Firewall semiaggr_s category
PAN Unwanted Domain suspicious_blacklisted_uri_pan Firewall Firewall semiaggr_s category
Print Unusual Extension Peer pga_file_extension_printed Printer Printer printerdata fileName
Resume Sent email_resume Email Email emailsummary hasAttachments

subject

Service Account AD service_account_login_ad AD (Windows Security Events). See Add Windows events to Splunk UBA. AD semiaggr_s N/A
Service Account VPN service_account_login_vpn AD (Windows Security Events). See Add Windows events to Splunk UBA. AD semiaggr_s N/A
Short Lived Account account_creation_deletion_in_short_span AD (Windows Security Events). See Add Windows events to Splunk UBA. AD semiaggr_s eventid

username
targetuser

Short Lived Security Membership member_added_removed_in_short_span AD (Windows Security Events). See Add Windows events to Splunk UBA. AD semiaggr_s N/A
Targeted Group Phishing spear_phishing Email Email emailsummary evcls
Terminated Account Usage terminated_user_activity Any Any semiaggr_s userstatus (from HR data)
Unauthorized Login Device unauthorized_machine_login AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents N/A
Unauthorized Login Time unauthorized_activity_time AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents N/A
Unauthorized Login Type unauthorized_logintype AD (Windows Security Events). See Add Windows events to Splunk UBA. AD windowsevents N/A
Unusual AD Event - Peer Group pga_unusualadevent AD (Windows Security Events). See Add Windows events to Splunk UBA. AD semiaggr_s N/A
Unusual Cloud Storage Deletions cloud_high_number_of_deletions Cloud Data CloudData fileaccess_s N/A
Unusual Cloud Storage Downloads cloud_high_number_of_downloads Cloud Data CloudData fileaccess_s N/A
Unusual File Extension cloud_unusual_fileextension_access Cloud Data CloudData fileaccess_s N/A
Unusual Printer Usage potential_confidential_documents_printed Printer DLP dlpsummary_s
Unusual USB Device Plugged In unusual_usb_plugin DLP DLP semiaggr_s deviceType

internalaction
deviceid

Unusual Web Protocol Exfiltration suspicious_file_transfer HTTP HTTP httpsummary_s protocol

applicationtype (URL Category)

USB Storage Attached an Unusually High Number of Times multiple_usb_plugs DLP DLP semiaggr_s deviceid

About the External Alarm and External Alarm Activity anomalies in Splunk UBA

In Splunk UBA releases earlier than 4.1, the External Alarm anomaly is raised when a notable event or external alarm category event from Splunk ES is ingested by Splunk UBA. In order for the anomaly to be triggered, the event's severity must be critical. The External Alarm anomaly was generated by a streaming model.

In Splunk UBA release 4.1 and later, the External Alarm anomaly is replaced by the External Alarm Activity anomaly. The External Alarm Activity anomaly is generated from the External Alarm Analysis Model offline model, and is triggered when the total number of notable events or external alarm category events from Splunk ES with a critical severity exceeds a certain threshold. You can view details for this anomaly in Data source types for model-based anomalies in Splunk UBA.

The External Alarm Activity uses alert grouping in both detection logic and presentation, meaning that there is not a one-to-one correspondence between the number of notable events and the number of External Alarm Activity anomalies for a user. For example, the Summary of external alarm activity panel on the Anomaly Details page for the External Alarm Activity anomaly may show that a user has only one External Alarm Activity anomaly associated with that user. Click on the event to expand the view and see that multiple External Alarm Activity anomalies are associated with that user.

Follow the instructions in Pull notable events from Splunk ES to Splunk UBA in the Send and Receive Data from the Splunk Platform manual to get notable events from Splunk ES to SplunK UBA.

Last modified on 23 April, 2021
PREVIOUS
Use connectors to add data from the Splunk platform to Splunk UBA
  NEXT
Get data into Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4, 5.0.4.1, 5.0.5


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters