Send Splunk UBA audit events to Splunk ES

Send audit events from Splunk User Behavior Analytics (UBA) to Splunk Enterprise Security (ES) so that you can maintain a history of specific actions taken by analysts and hunters in Splunk UBA.

For example, if there is a need to re-examine a closed threat, you can use the audit history to determine which analyst closed the threat.

For Splunk UBA version 5.4.0 and higher, the Splunk ES account being used for UBA-ES integration must have the edit_token_http capability.

Perform the following tasks to send audit events to the Splunk platform to be added to the _audit index:

1. Add or set the uba.sys.audit.push.splunk.enabled property in Splunk UBA.
2. Set up a search head or forwarder to receive data from Splunk UBA.
3. Configure the Splunk platform to receive data from the Splunk UBA output connector.

The Splunk Add-on for UBA is not available for download on Splunkbase. The add-on is installed by default with Splunk Enterprise Security (ES). See How do I obtain the Splunk Add-on for Splunk UBA?

Add or set the uba.sys.audit.push.splunk.enabled property in Splunk UBA

Perform the following steps in Splunk UBA to enable audit logs to be sent to the Splunk platform:

By default, audit logs are stored in index=_audit sourcetype=uba_audit.

1. Set the uba.sys.audit.push.splunk.enabled property in the /etc/caspida/local/conf/uba-site.properties file to true:

   uba.sys.audit.push.splunk.enabled=true

2. Run the following command to synchronize the cluster:

   /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf

3. Run the following commands to restart Caspida services:

   /opt/caspida/bin/Caspida stop
   /opt/caspida/bin/Caspida start
   

Set up a search head or forwarder to receive data from Splunk UBA

You can choose to set up either a search head or a forwarder to receive data sent from Splunk UBA.

• In Splunk UBA release 4.3.0 and lower, you can send data only to a Splunk search head.
• In Splunk UBA release 4.3.1 and higher, you can send data to a Splunk search head or forwarder.

Configure the Splunk platform to receive data from the Splunk UBA output connector

Send Splunk UBA audit events to Splunk ES by setting up an output connector. See, Send Splunk UBA anomalies and threats to Splunk ES as notable events. Sending UBA audit events to Splunk ES uses the same process as sending UBA anomalies and threats. It is not required to select Process Threats or Process Anomalies to send UBA audit events to Splunk ES.

Splunk UBA audit events can only be sent to the same Splunk ES deployment that Splunk UBA is sending anomalies and threats to. After following all the steps and configuring the output connector in Splunk UBA, Splunk UBA can forward UBA audit events to the specified Splunk ES deployment.

Steps on the Splunk Enterprise search head

Perform the following steps on the Splunk Enterprise search head. In a search head clustering environment, perform the changes on the search head that will receive the Splunk UBA threats and anomalies.

If you are using the default certificate provided with the Splunk Platform, copy the root CA certificate from /opt/splunk/etc/auth/cacert.pem on the Splunk Enterprise instance to /home/caspida on the Splunk UBA management server.

If you use your own third-party certificate, copy that certificate file to /home/caspida on the Splunk UBA management server. Do not copy the root CA certificate from /opt/splunk/etc/auth/cacert.pem on the Splunk Enterprise instance.

If you are on Splunk Cloud, you must have the Splunk Universal Forwarder app installed.

1. Go to the Splunk Universal Forwarder app home page.
2. Select Download Universal Forwarder Credentials to get the splunkclouduf.spl Universal Forwarder App file, as shown in the following image:
   
3. Untar the app and copy the *.pem file from the ./default directory of the app to /home/caspida on the Splunk UBA management server.

   Splunk Cloud issues new TLS certificates for Splunk Cloud deployments periodically. Step 3 must be repeated every time a new TLS certificate is issued.

4. Add connection_host = ip to the HTTP Event Collector (HEC) inputs.conf on the ES search head.
   For example:

   /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf

   This ensures that the host field remains as the sender's (UBA) IP address instead of the default HEC host and port.
5. The Splunk ES account being used for UBA-ES integration must have the edit_token_http capability.
6. Port 8088 must be open on the Splunk ES search head.

Splunk HTTP Event Collector setup

The Splunk HTTP Event Collector must be set up to send data from Splunk UBA to the Splunk Platform. See Set up and use HTTP Event Collector in Splunk Web in the Splunk Cloud Platform manual.

For Splunk Cloud users, Splunk UBA does not programmatically set up a HTTP Event Collector token. Use the Admin Config Service to set up a token. For steps, see Manage HTTP Event Collector (HEC) tokens in Splunk Cloud Platform in the Splunk Cloud Platform manual.

Refer to the following table for field name guidance:

Create the new HTTP Event Collector token, and copy down the value of the token.

Splunk Cloud users also need to note the values for host and port which are used for the HTTP Event Collector and are unique to each Splunk Cloud deployment.

Steps on the Splunk UBA management server

Perform the following steps on the Splunk UBA management server:

1. Log in to the Splunk UBA management server as the caspida user.
2. Ensure that $JAVA_HOME is set correctly on your system. Run the CaspidaCommonEnv.sh script to set this environment variable:

   . /opt/caspida/bin/CaspidaCommonEnv.sh

3. Import the rootCA certificate to the Java certificate store.

   If you use your own third party certificate, replace ~/cacert.pem with that third party certificate in the following commands. If you are on Splunk Cloud replace ~/cacert.pem with the *.pemfile provided from the Splunk Universal Forwarder app.

   On RHEL or OEL systems, use the following command:

   sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -file ~/cacert.pem

   On Ubuntu systems, use the following command:

   sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/cacert.pem

   For Splunk Cloud users, use the *.pem file copied previously from the Splunk Universal Forwarder in the Splunk Enterprise search head step.

   Splunk Cloud users must repeat this step each time a new TLS certificate is issue for their Splunk Cloud deployment.

4. When prompted, enter the keystore password and trust the certificate. The default keystore password is changeit.
5. From the command line of the Splunk UBA management server, view the /etc/caspida/local/conf/uba-site.properties file to confirm the following parameters are set to "true" as shown:
   
   • uba.splunkes.integration.enabled=true
     
   • connectors.output.splunkes.ssl=true
6. Customers with existing UBA-ES integrations must comment out or remove the previously configured [tcp-ssl:10008] stanza from the Splunk_TA_ueba inputs.conf on the Splunk ES search head to avoid having an unused listener.
7. If you are a Splunk Cloud user with custom configurations on your HTTP Event Collector, complete this step. Otherwise skip to step 8.
   From the command line of the Splunk UBA management server, open /etc/caspida/local/conf/uba-site.properties.
   1. Add the following properties:

      splunkes.hec.token.value = <token value of the HTTP Event Collector token>
      splunkes.hec.host = <HTTP Event Collector host URI>
      splunkes.hec.port = <HTTP Event Collector port>
      

      Example:
      

      splunkes.hec.host=test.splunk.com
      splunkes.hec.token.value=c125bad8-b378-4fc9-861b-2d66096d2f86
      splunkes.hec.port=443
      

   2. If you set the name of the HTTP Event Collector token to a value other than SplunkES-UBA-Integration.v1, set the splunkes.hec.token.key field to that name.
8. Restart Splunk UBA. Run the following commands on the Splunk UBA management server:

   /opt/caspida/bin/Caspida stop-all
   /opt/caspida/bin/Caspida start-all