Splunk® User Behavior Analytics

Send and Receive Data from the Splunk Platform

Requirements for using the Splunk Add-on for Splunk UBA

Before integrating Splunk User Behavior Analytics (UBA) with Splunk Enterprise or Splunk Enterprise Security (ES), meet these requirements:

Splunk Cloud Platform customers must contact Splunk Support to fully integrate with Splunk UBA. The Splunk Cloud Platform sc_admin role cannot perform Splunk UBA setup.

Splunk Enterprise and Splunk ES requirements

You must meet the following requirements to integrate Splunk UBA with Splunk Enterprise and Splunk ES:

Component Requirement
Splunk Enterprise Verify that you have a Splunk Enterprise user account that meets all the requirements listed in Requirements for the Splunk Enterprise user account in the Install and Upgrade Splunk User Behavior Analytics manual.
Splunk Add-on for Splunk UBA Verify that the Splunk Add-on for Splunk UBA is installed and enabled on your search head with the ueba index deployed to your indexers. See Deploy the Splunk Add-on for Splunk UBA.
Splunk UBA server Verify that the name of the Splunk UBA server is specified correctly in Splunk ES. The name of the Splunk UBA server that you specified when running the /opt/caspida/bin/Caspida setup command during Splunk UBA installation must match the value stored in the uiServer.host property in the /etc/caspida/local/conf/uba-site.properties file in Splunk UBA. The name of the Splunk UBA server that was specified during setup is stored in the /opt/caspida/conf/deployment/caspida-deployment.conf file.
  • If you specified a Splunk UBA host name such as ubahost1 during setup, make sure that uiServer.host is set to the same host name.
  • If you specified an IP address such as 10.11.12.1 during setup, make sure that uiServer.host is set to the same IP address.
Output connector Configure an output connector on Splunk UBA to send anomalies and threats from Splunk UBA to Splunk ES.

During this configuration, you must provide a username and password for a Splunk ES account with at least the permissions granted by the ess_analyst role with edit_reviewstatuses capability so that Splunk UBA is fully authorized for this integration.
This privilege level is required so that Splunk UBA can access the Splunk ES APIs and make changes to the status of notable events. See Add an output connector in Splunk UBA.

Splunk ES account For Splunk UBA version 5.4.0 and higher, the edit_token_http capability is required for the Splunk ES account being used for the UBA-Splunk ES integration.

Configure authentication between Splunk UBA and Splunk ES

Starting with release 6.1.0, Splunk ES can use a local user account to integrate with Splunk UBA. To perform the integration, meet the following requirements:

  • In Splunk UBA, configure an account with the username of "ubaesuser" (for UBA ES User) and the account role of User (uba_user). See Add a local user account in the Administer Splunk User Behavior Analytics manual.
  • In Splunk ES, create the matching credentials. See Add a new credential for UBA input in the Splunk Enterprise Security Administer Splunk Enterprise Security manual.

If you are using a version of Splunk ES lower than 6.1.0, configure Splunk authentication in Splunk UBA to integrate Splunk UBA and Splunk ES. See Configure Splunk authentication using Splunk UBA in the Administer Splunk User Behavior Analytics manual.

Last modified on 11 July, 2024
About the Splunk Add-on for Splunk UBA   Deploy the Splunk Add-on for Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters