Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Filter events analyzed by Splunk UBA for anomalies

Limit or target the data analyzed by Splunk UBA with filters. You can create two types of filters:

  • Event filters to restrict event analysis based on field values. Filtering occurs after the data is added to Splunk UBA, but before Splunk UBA analyzes the data.
  • HR data global filter to restrict event analysis to only events that contain users present in the HR data. Filtering occurs before you add data to Splunk UBA and is enabled by default.

For example, you can use filters to exclude all events containing the user name of a penetration testing account or the IP address of a machine used in a malware lab. Event filters apply to all data added to Splunk UBA. If a filter is no longer needed, delete it.

Event filters can only include or exclude the specific fields for a category. For example, you cannot create a filter that excludes events with the user "buttercup" but includes events with the user "daisymug".

Do not create filters that overlap. For example, a filter that includes all events from the AD group "Ponies" but excludes events of the user "buttercup", who is a member of the "Ponies" AD group, will result in unpredictable event filtering, depending on the order of execution of the filters.

Create an event filter

Create event filters after configuring data sources.

  1. Select Manage > Data Sources.
  2. Click Event Filters.
  3. Select a filter type.
  4. Select the users, devices, AD groups, or event fields to filter.
  5. Select whether to include or exclude the selected users, devices, AD groups, or event fields.
  6. Click OK to save your filters.
  7. Stop and restart the containers, and also sync the cluster in multi-node deployments.
    /opt/caspida/bin/Caspida stop-containers
    /opt/caspida/bin/Caspida sync-cluster
    /opt/caspida/bin/Caspida start-containers
    

Example: create an event filter involving users

Create a filter to exclude events associated with the user Simon Roma.

  1. Select Manage > Data Sources.
  2. Click Event Filters.
  3. Select a filter type of Users.
  4. Click Add Users to add a new user filter.
  5. Search for the user name Simon Roma.
  6. Check the checkbox next to the user name and click OK.
  7. Select the Exclude the events for the specified users radio button.
    This screen image shows the Event Filter dialog window. The Users option is selected in the left-side selector. The user Simon Roma appears in the window because it was already selected, and "Exclude the events for the specified users" is selected.
  8. Click OK to save the filter.
  9. Stop the containers, synchronize the cluster if needed, then start the containers.

Example: create an event filter involving devices

Create a filter to exclude internal devices in the RFC1918 IP address range.

  1. Select Manage > Data Sources.
  2. Click Event Filters.
  3. Select a filter type of Internal Devices.
  4. Click Add Internal Devices to add a new user filter.
  5. Enter the CIDR or IP address of the devices you want to filter. In this example, we will filter the RFC1918 IP address ranges:
    • 10.0.0.0/8
    • 172.16.0.0/12
    • 192.168.0.0/16
  6. Select the Exclude the events for the specified internal devices radio button.
    This screen image shows the Event Filter dialog window. The Internal Devices option is selected in the left-side selector. The RFC1918 IP address ranges listed immediately above this image are entered in the fields, and "Exclude the events for the specified users" is selected.
  7. Click OK to save the filter.
  8. Stop the containers, synchronize the cluster if needed, then start the containers.

Additional steps required for filters using AD groups

Perform the following additional steps if your event filter uses AD groups:

  1. Stop the Splunk UBA containers.
    /opt/caspida/bin/Caspida stop-containers
  2. Check your system to see if the /etc/caspida/local/conf/attribution/Account.json exists. If not, copy /opt/caspida/conf/attribution/Account.json to /etc/caspida/local/conf/attribution/Account.json.
  3. Edit /etc/caspida/local/conf/attribution/Account.json and change "useInModel": false to "useInModel": true in following JSON block:
    {
       "name": "userGroups",
       "sourceNames": ["memberOf","groups"],
       "properties" : {
          "type": "ARRAY",
          "label": "AD Group",
          "pluralLabel": "AD Groups",
          "showInDetails": true,
          "showInFilters": true,
          "showInGroupBy": true,
          "useInModel": false
       }
    },
    
  4. Save your changes to the Account.json file.
  5. Run the following commands to sync the cluster and restart the containers.
    /opt/caspida/bin/Caspida sync-cluster
    /opt/caspida/bin/Caspida start-containers
    

Filter events based on event fields

To filter events based on the fields in the events, you must know the name and value of each field that you want to filter. Any field that appears in the parsed list of fields of an event can be included or excluded using a filter. Use the following table to identify common fields and values that you might want to filter in your data. Work with Splunk Professional Services to add customized field-based filters.

Field name Description Example values
event.format name of the event format WebGateway
view.network.source source IP address 10.1.2.3
view.network.destination destination IP address 172.20.30.40
ad.user.srcuser source user for an AD data source jsmith
ciscosa.user.destuser destination user in a Cisco ASA data source administrators\superuser

Set the order in which event filters run

Event filters run in the same order every time for every event in a data source until a matching event is found. When a matching event is found, additional filters are not applied to the corresponding event.

By default, event filters are applied in the following order:

  1. Field values to exclude
  2. Field values to include
  3. External devices to exclude
  4. External devices to include
  5. AD groups to exclude
  6. AD groups to include
  7. Internal devices to exclude
  8. Internal devices to include
  9. IP address filters
  10. Filters defined with regex
  11. Users to exclude
  12. Users to include

The order in which event filters run can be set manually by copying properties from the uba-default.properties file and customizing them in the uba-site.properties file.

  1. Open the /opt/caspida/conf/uba-default.properties and copy the decorator.filter.precedence property along with all the filters.
    decorator.filter.precedence=FieldValuesExclude, FieldValuesInclude, ExternalDeviceExclude, ExternalDeviceInclude, GroupExclude, GroupInclude, InternalDeviceExclude, InternalDeviceInclude, IPAddress, Regex, UserExclude, UserInclude
  2. Open the /etc/caspida/local/conf/uba-site.properties file and past the decorator.filter.precedence property and filters into the file.
  3. Set the desired order of the filters.
  4. Save your changes to the file.
Last modified on 09 May, 2019
PREVIOUS
Add data sources to Splunk UBA in test mode
  NEXT
Why Splunk UBA requires HR data

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters