Splunk® User Behavior Analytics

Send and Receive Data from the Splunk Platform

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Send Splunk UBA anomalies and threats to Splunk ES as notable events

This image summarizes the steps you need to take to push anomalies and threats from Splunk User Behavior Analytics (UBA) to Splunk Enterprise Security (ES) as notable events.

This image shows the steps for how to send anomalies and threats from Splunk UBA to Splunk ES. The steps in the image are described immediately following the image.

  1. Verify that the Splunk Add-on for UEBA is installed and enabled.
  2. Enable SA-UEBA so that Splunk ES can retrieve data from Splunk UBA.
  3. Configure the Splunk platform to receive data from the Splunk UBA output connector.
  4. Add an output connector in Splunk UBA.
  5. (Optional) Learn How threats and notables are synchronized.

Verify that the Splunk Add-on for UEBA is installed and enabled

Perform the following steps to verify that the Splunk Add-on for UEBA is installed.

  1. Log in to the Splunk search head with Splunk Enterprise Security installed.
  2. In Splunk Web, select Apps > Manage Apps.
  3. Search for ueba and verify that Splunk_TA_ueba is installed and enabled.
  4. If the add-on is not enabled, click Enable to enable it.

Enable SA-UEBA so that Splunk ES can retrieve data from Splunk UBA

Enable SA-UEBA so that dashboards and knowledge objects are visible to users in Splunk Enterprise Security. This task is required to retrieve data from Splunk UBA to display on the Session Center dashboard in Splunk Enterprise Security, to model data sent from Splunk UBA with the UEBA data model, and to use correlation searches to analyze threats and anomalies sent from Splunk UBA.

  1. Log in to the Splunk search head with Splunk Enterprise Security installed.
  2. In Splunk Web, select Apps > Manage Apps.
  3. Locate the SA-UEBA add-on.
  4. Click Enable to enable the add-on.

Configure the Splunk platform to receive data from the Splunk UBA output connector

The connection between Splunk UBA and the Splunk platform uses TCP-SSL by default. Set up the Splunk platform to accept the encrypted connection so that the Splunk platform can receive data from the Splunk UBA output connector.

Splunk Cloud Platform customers must work with Splunk Cloud Platform Support to set up this connection.

The following procedure uses the Splunk default certificates and the global [SSL] stanza in the inputs.conf file. For better security, consider using your own certificates, or commercially signed certificates from a trusted certificate authority.

Perform the following steps on Splunk Enterprise:

  1. Create a local folder under $SPLUNK_HOME/etc/apps/Splunk_TA_ueba. For example:
    cd /opt/splunk/etc/apps/Splunk_TA_ueba
    mkdir local
    
  2. Create a file called inputs.conf and add the following stanza:
    [tcp-ssl:10008]
    listenOnIPv6 = no
    index = ueba
    sourcetype = ueba
    serverCert = $SPLUNK_HOME/etc/auth/server.pem
    sslPassword = password
    
  3. In distributed deployments, deploy the changes to the inputs.conf file across all peers in your indexer cluster. See Manage common configurations across all peers in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
  4. Restart Splunk Enterprise.
    1. In Splunk Web, select System > Server controls.
    2. Click Restart Splunk.
  5. Verify that SSL is enabled for port 10008 in $SPLUNK_HOME/var/log/splunk/splunkd.log. For example:
    11-07-2019 15:07:42.661 -0800 INFO  TcpInputProc - Creating raw Acceptor for IPv4 port 10008 with SSL
  6. Copy the root CA certificate from /opt/splunk/etc/auth/cacert.pem on the Splunk Enterprise instance to /home/caspida on the Splunk UBA management server.

Perform the following tasks on the Splunk UBA management server:

  1. Log in to the Splunk UBA management server as the caspida user.
  2. Ensure that $JAVA_HOME is set correctly on your system. Run the CaspidaCommonEnv.sh script to set this environment variable:
    . /opt/caspida/bin/CaspidaCommonEnv.sh
  3. Import the rootCA certificate to the Java certificate store.
    On CentOS systems, use the following command:
    sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -file ~/cacert.pem

    On other Linux systems, use the following command:

    sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/cacert.pem
  4. When prompted, type the keystore password and trust the certificate. The default keystore password is changeit.
  5. Restart Splunk UBA. Run the following commands on the Splunk UBA management server:
    /opt/caspida/bin/Caspida stop-all
    /opt/caspida/bin/Caspida start-all
    

Add an output connector in Splunk UBA

Set up Splunk UBA to send data to the Splunk search head or a Splunk forwarder. Splunk UBA uses the output connector to send anomalies and threats to Splunk Enterprise Security.

  1. Make sure the Splunk Add-on for Splunk UBA is properly deployed and enabled. See Deploy the Splunk Add-on for Splunk UBA.
  2. Make sure the SA-UEBA add-on is enabled. See Enable SA-UEBA so that Splunk ES can retrieve data from Splunk UBA.
  3. Log in to Splunk UBA as an admin user.
  4. Select Manage > Output Connectors.
  5. Click New Output Connector.
  6. Select an output connector of SplunkES and click Next.
  7. Type a Name for the output connector.
  8. The Forwarder Host is the IP address of the Splunk search head or forwarder with the TCP data input enabled. For a search head cluster, choose a search head to integrate with Splunk UBA because Splunk UBA does not support integrating with multiple search heads.
  9. The Forwarder Port is TCP port 10008 that is open for receiving data on the Splunk search head or forwarder. Make sure this port is open behind your firewall.
  10. Specify the Splunk ES API URL in the following format:
    https://<forwarder-host>:<mgmt-port>
    Splunk UBA uses this connection to synchronize the status of its threats with notable events in Splunk ES. The management port is usually 8089.
  11. Specify a username and password. See Splunk Enterprise and Splunk ES requirements for the requirements of this user account.
  12. Select how you want this output connector to process anomalies and threats.
    Option Description
    Process Threats Select Process Threats to enable Splunk UBA to export threats based on any configured output connectors, such as sending email or sending threats to Splunk ES. If this is not selected, no threats are exported from Splunk UBA, even if Auto Process is selected.
    Process Anomalies Select Process Anomalies to enable Splunk UBA to export anomalies based on any configured output connectors, such as sending email or sending anomalies to Splunk ES. If this is not selected, no anomalies are exported from Splunk UBA, even if Auto Process is selected.
    Auto Process Select Auto Process to automatically forward anomalies and threats as they are created to Splunk ES. If this is not selected, you must forward each anomaly or threat individually during threat review with the Export to Splunk ES action from the Anomaly Details or Threat Details page. See Review Current Threats in Use Splunk User Behavior Analytics.


    Selecting Auto Process in conjunction with Process Anomalies can cause a significant increase in traffic. Review the output connector logs to verify the health and performance of your system. See the Output Connector Service health monitor status codes. If you are monitoring Splunk UBA using the Splunk UBA Monitoring app, see About the Splunk UBA Monitoring app in theSplunk UBA Monitoring App manual.

  13. Click OK to save the new output connector.

If the output connector does not work, verify that you configured the host server correctly in the uba-site.properties file. The host identified in the file populates the host field for events sent to Splunk Enterprise Security or the Splunk platform. See Connect Splunk UBA to Splunk Enterprise to view an anomaly's raw events in Install and Upgrade Splunk User Behavior Analytics.

How threats and notable events are synchronized

Once the output connector is configured, Splunk UBA attempts to send threats to Splunk ES every 5 minutes with no limits on the number of retries. Any issues with the connection mean that new threats are not sent to Splunk ES until the connection issues are resolved. Any connection issues between the output connector and Splunk ES also affect other output connectors that are configured, such as email and ServiceNow. If the connection issues persist for more than one hour, alerts are generated in the health monitor in Splunk UBA. See Monitor the health of your Splunk UBA deployment in Administer Splunk User Behavior Analytics.

Perform the following steps to change the retry interval:

  1. On the Splunk UBA management node, log in as the caspida user.
  2. Edit the etc/caspida/local/conf/uba-site.properties file and modify the uba.splunkes.retry.delay.minutes property. For example, to set the retry interval to 3 mintues:
    uba.splunkes.retry.delay.minutes = 3
  3. In distributed deployments, synchronize the cluster:
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf

Work with Splunk UBA threats as notable events in Splunk ES

When Splunk UBA and Splunk ES are integrated using an output connector, Splunk UBA creates a new custom status on Splunk ES called Closed in Uba as shown in the following image.

This screen image shows the Status Configuration page in Splunk ES with a list of available statuses for notable events. The status with the label Closed in Uba is highlighted.

The status of threats in Splunk UBA and their corresponding notable events in Splunk ES are synchronized.

What happens when a threat is closed in Splunk UBA

Threats in Splunk UBA can be closed by the user or closed by the system:

  • Threats in Splunk UBA are considered closed by the user if a user clicks Not a Threat in Splunk UBA.
  • In all other cases, the threat in Splunk UBA is considered to be closed by the system.

When a threat is closed in Splunk UBA, Splunk UBA checks the status of the corresponding notable event in Splunk ES. If the notable event is not already closed in Splunk ES, Splunk UBA closes the notable event by setting the end status to Closed in Uba.

If the notable event is reopened in Splunk ES, a threat closed by the user in Splunk UBA is reopened. A threat closed by the system remains closed in Splunk UBA. The threat can still be viewed, but no action can be taken on the threat. This workflow is illustrated in the following diagram:

This screen image shows a flowchart of threats in Splunk UBA and their corresponding notable events in Splunk Enterprise Security. The flow of the data is described in the surrounding text.

What happens when a threat is reopened in Splunk UBA

A threat in Splunk UBA can be reopened in the following cases:

  • Threat computation causes a threat to be reopened.
  • An anomaly action rule affects anomalies that cause a threat to be reopened.
  • A threat rule is modified, causing a threat to be reopened.

When a threat is reopened, Splunk UBA checks to see if the notable event in Splunk ES has an end status of ClosedInUba and if yes, the notable event is also reopened.

No action is taken if the notable event is already open in Splunk ES, or if it has an end status other than ClosedInUba.

Splunk UBA queries for the status of notable events in Splunk ES

Splunk UBA queries Splunk ES in 5-minute intervals to synchronize the status of threats in Splunk UBA and notable events in Splunk ES.

When the query detects that a notable event is closed, Splunk UBA checks to see if the corresponding threat is also closed. If not, the threat is closed with a status of ClosedbyUser as shown in the following diagram:

This flowchart shows what happens to a threat in Splunk UBA when the status of its notable event is closed. If the threat is already closed in Splunk UBA, then no action is taken. If the threat is still active in Splunk UBA, then it is closed with a status of ClosedByUser.

When the query detects that a notable event is not closed, Splunk UBA checks to see if the corresponding threat has a status of ClosedbyUser. If so, the threat is reopened with a status of Active as shown in the following diagram:

This flowchart shows what happens to a threat in Splunk UBA when the status of its notable event is not closed. If the threat does not have a status of ClosedByUser in Splunk UBA, then no action is taken. If the threat has a status of ClosedByUser in Splunk UBA, then it is reopened with a status of Active.

What happens if the output connector is unable to send threats to Splunk ES?

If the output connector is unable to send threats to Splunk ES, due to a network issue or Splunk ES being temporarily unavailable, the output connector makes another attempt every 5 minutes. After 1 hour, if the connection is not resolved, the output connector raises an error in the health monitor. See OCS-11 in Administer Splunk User Behavior Analytics.

Last modified on 08 October, 2021
PREVIOUS
Integrate Splunk ES and Splunk UBA with the Splunk Add-on for Splunk UBA
  NEXT
Pull notable events from Splunk ES to Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters