Splunk® User Behavior Analytics

Send and Receive Data from the Splunk Platform

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Pull notable events from Splunk ES to Splunk UBA

This image summarizes the steps you need to take to configure a Splunk ES Notables or Splunk Direct data source to pull notable events from Splunk Enterprise Security (ES) to Splunk User Behavior Analytics (UBA).

This image shows the steps for how to pull notable events from Splunk ES to Splunk UBA. The steps in the image are described immediately following the image.

Perform the following tasks to set up the desired data source in Splunk UBA:

  1. In Splunk ES, Set up Splunk UBA to receive notable events from Splunk ES.
  2. In both Splunk Enterprise and Splunk UBA, Configure the Splunk platform to receive data from the Splunk UBA output connector.
  3. Set up Splunk UBA to pull notable events from Splunk ES. See Send notable events to Splunk UBA.

Set up Splunk UBA to receive notable events from Splunk ES

In Splunk ES, perform the following tasks so that Splunk UBA can receive notable events from Splunk ES:

Splunk Cloud Platform customers must contact Splunk Cloud Platform Support to perform the Splunk UBA setup.

  1. From the Splunk ES menu bar, select Configure > UBA Setup. You can also select Apps > Manage Apps and select Set up next to this add-on.
  2. In the Management Server field, type the host name and port number of the Splunk ES output connector on the Splunk UBA management server using port 10008. For example, <server IP address>:10008.
  3. In the Type field, select whether to use the TCP or UDP protocol to send the correlation search results to Splunk UBA.

Configure the Splunk platform to receive data from the Splunk UBA output connector

The connection between Splunk UBA and the Splunk platform uses TCP-SSL by default. Set up the Splunk platform to accept the encrypted connection so that the Splunk platform can receive data from the Splunk UBA output connector.

Splunk Cloud Platform customers must work with Splunk Cloud Platform Support to set up this connection.

The following procedure uses the Splunk default certificates and the global [SSL] stanza in the inputs.conf file. For better security, consider using your own certificates, or commercially signed certificates from a trusted certificate authority.

Perform the following steps on Splunk Enterprise:

  1. Create a local folder under $SPLUNK_HOME/etc/apps/Splunk_TA_ueba. For example:
    cd /opt/splunk/etc/apps/Splunk_TA_ueba
    mkdir local
    
  2. Create a file called inputs.conf and add the following stanza:
    [tcp-ssl:10008]
    listenOnIPv6 = no
    index = ueba
    sourcetype = ueba
    serverCert = $SPLUNK_HOME/etc/auth/server.pem
    sslPassword = password
    
  3. In distributed deployments, deploy the changes to the inputs.conf file across all peers in your indexer cluster. See Manage common configurations across all peers in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
  4. Restart Splunk Enterprise.
    1. In Splunk Web, select System > Server controls.
    2. Click Restart Splunk.
  5. Verify that SSL is enabled for port 10008 in $SPLUNK_HOME/var/log/splunk/splunkd.log. For example:
    11-07-2019 15:07:42.661 -0800 INFO  TcpInputProc - Creating raw Acceptor for IPv4 port 10008 with SSL
  6. Copy the root CA certificate from /opt/splunk/etc/auth/cacert.pem on the Splunk Enterprise instance to /home/caspida on the Splunk UBA management server.

Perform the following tasks on the Splunk UBA management server:

  1. Log in to the Splunk UBA management server as the caspida user.
  2. Ensure that $JAVA_HOME is set correctly on your system. Run the CaspidaCommonEnv.sh script to set this environment variable:
    . /opt/caspida/bin/CaspidaCommonEnv.sh
  3. Import the rootCA certificate to the Java certificate store.
    On CentOS systems, use the following command:
    sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -file ~/cacert.pem

    On other Linux systems, use the following command:

    sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/cacert.pem
  4. When prompted, type the keystore password and trust the certificate. The default keystore password is changeit.
  5. Restart Splunk UBA. Run the following commands on the Splunk UBA management server:
    /opt/caspida/bin/Caspida stop-all
    /opt/caspida/bin/Caspida start-all
    

Send notable events to Splunk UBA

Use one of the following methods to send notable events from Splunk ES to Splunk UBA:

Send notable events and risk events using the Splunk ES Notables data source

Use the Splunk ES Notables data source in Splunk UBA to integrate Splunk UBA with Splunk ES. Configure Splunk UBA to connect to the Splunk ES search head. The Splunk ES Notables data source automatically ingests notable events and risk events from Splunk ES and properly maps categories from Splunk ES Content Updates. If you have custom correlation searches in Splunk ES, make sure the category field is added correctly in the correlation search.

See Filter the anomaly table in Use Splunk User Behavior Analytics to view the list of anomaly categories. The category field must match one of the listed categories. The Splunk UBA external alarm model uses these events and category mappings to generate meaningful anomalies which can subsequently raise the appropriate threats.

Notable events that are closed in Splunk ES are not ingested by Splunk UBA.

  1. In Splunk UBA, select Manage > Data Sources.
  2. Click New Data Source.
  3. In the SIEM Connectors category, click Splunk ES Notables.
  4. On the Connection screen, provide connection and authentication details to connect to Splunk ES, then click Next. The user credentials must have permissions to access the notable events and risk indexes.
  5. On the Time Range screen, select Live and All Time, then click Next.
  6. On the Splunk Query screen, verify the SPL being used to retrieve the events and category mappings from Splunk ES, then click Next. If you need to modify the SPL, make sure NOT (source="UEBA" OR source="UBA") is included in the final SPL to exclude Splunk UBA anomalies and threats.
  7. On the Test Mode screen, click Test Mode to validate the data source before ingesting all events, then click Next. See Add data sources to Splunk UBA in test mode for more information about test mode.
  8. Click OK.

Send notable events using Splunk Direct

Use Splunk Direct to send notable events from Splunk ES to Splunk UBA by configuring an external alarm data source. Write a custom query to handle the necessary data enrichment such as mapping the alarm category or severity.

  1. In Splunk ES, confirm that you get the desired notable events from the following query. The query analyzes notable events on Splunk ES that are not generated from Splunk UBA data sources and performs the proper mappings for the External Alarm category on Splunk UBA.

    You will need this query in the following steps.

    `notable` | search NOT (source="*UEBA*" OR source="*UBA*") | eval action=IF(action="deferred" OR action="blocked","blocked","allowed") | eval tag="attack,network,communicate", app='Authentication.app', dest_zone='dest_pci_domain', src_host='src_nt_host', src_zone='src_pci_domain' | eval severity="Critical",evcls=coalesce(signature,savedsearch_name,search_name) | eval signature=IF(isnull(signature),evcls,signature) | eval alarmCategories=CASE( like(lower(evcls),"%application%") OR like(lower(evcls),"%vulnerability%"),"ProductAttack", like(lower(evcls),"%intrusion%"),"SystemAttack", like(lower(evcls),"%data%loss%") OR like(lower(evcls),"%dlp%") OR like(lower(evcls),"%dlp%") OR like(lower(evcls),"%exfil%"),"Exfiltration", like(lower(evcls),"%malware%") OR like(lower(evcls),"%virus%") OR like(lower(evcls),"%botnet%") OR like(lower(evcls),"%backdoor%") OR like(lower(evcls),"%trojan%"),"MalwarePersistence", like(lower(evcls),"%malware%_operations") OR like(lower(evcls),"%cnc%") OR like(lower(evcls),"%callback%"),"MalwareActivity", like(lower(evcls),"%spam%") OR like(lower(evcls),"%phish%"),"MalwareInstall",1=1,"PolicyViolation") | eval user=IF(isnull(user) AND like(dest,"%@%"),dest,user), dest_ip=coalesce(dest_ip,'values(dest)'),eventtype=evcls, user=IF(like(user,"%wireless%"),"",user), src_ip=IF(isnull(src_ip) AND NOT like(src,"%@%"), src,src_ip), dest_ip=IF( like(dest_ip,"%@%"),'',dest_ip) | makemv delim="," tag | makemv delim=" " dest_ip | mvexpand dest_ip | fields action,alarmCategories,app,category,dest_host,dest_ip,dest_nt_domain, dest_zone,duration,eventtype,file_name,file_path,severity,signature, sourcetype,src_host,src_ip,src_zone,tag,url,user

  2. In Splunk UBA, select Manage > Data Sources.
  3. Click New Data Source.
  4. Under SIEM Connectors, select Splunk.
  5. Specify the connection details to Splunk ES. Select Splunk Direct as the connector type and specify the SSL management port for your Splunk ES instance.
  6. Select Live and All Time as the date range.
  7. In the Splunk Query field, specify the query that you verified at the beginning of this procedure.
  8. On the Data Format page, select External Alarm as the field category. Keep the default values in the Splunk Field column.
  9. Enter the query that you verified at the beginning of this procedure again.
  10. Make sure Test Mode is not selected, and then click OK.
Last modified on 08 October, 2021
PREVIOUS
Send Splunk UBA anomalies and threats to Splunk ES as notable events
  NEXT
Set up Splunk UBA to send user and device association data to Splunk ES

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters