UBA Journey

The Splunk UBA Journey… Q&A

What is UBA?

UBA, User Behavior Analytics, it is a premium product published by Splunk.  It is a separate product from Splunk’s core software and has its own binaries and configuration. By relying on the machine learning technologies, UBA can secure an organization from the insider threats and also provide outsider threat monitoring and alerting capabilities

What are Insider threats?

Any malicious activity that are generated from, or related to, an entity inside the organization.  This entity can be an asset or an identity account.  Many hacking techniques now are relying on compromising company accounts and using them to gain access into the organization.  They will always work to find a backdoor to any vulnerability or security weakness inside the organization’s security systems.

What UBA is capable of ?

  • It can automatically detect threats and anomalies from internal users and assets using machine learning and data.
  • Leveraging the prebuilt threat detection models, UBA will constantly monitor the organizing events and identify anomalous entities without human intervention.
  • Correlate anomalies generated by any unusual behaviors into one or multiple threat alerts, so that analysts can trace these anomalies down to any internal or external entities sources.
  • Create dashboards that will help analysts understand their threats and anomalies and deeply investigate them.
  • Provide alerting on newly created threats.
  • Integrate with Splunk ES to enable notable events on threats and anomalies.
  • Provide anomalies actions rules, white or black listing of any entity, to help analysts eliminate false positive and legitimate activities within the organization.

How does UBA categorize threats and anomalies?

UBA will categorize threats and anomalies by: Users, devices, IPs and domains. All related subcategories will be also provided by UBA, such as Internal vs external IPs, user account status and trusted vs untrusted applications.

Is a Splunk environment required for UBA ?

For the most part and for best performance and results the answer is YES. UBA will leverage the Splunk platform to collect and ingest data, and also get CIM data when possible. UBA will also integrate will many Splunk security products like Splunk Enterprise Security to provide a robust security solution for the customers.

Want to Know More? Contact Aditum’s Splunk Experts.

“We have a demanding development environment and Aditum has delivered top notch support.”

– Large Health Insurance Provider

Aditum’s Splunk Architects, Splunk Administrators, Splunk Developers and Information Security consultants deliver outstanding results to companies like yours every day. From initial installation to managed services, our experts can help you deliver success.

What are the essential first steps to have UBA works as expected?

  • Sizing UBA installation requirement, Splunk PS will first engage to size your environment by analyzing your environment, includeing:
    • log ingestion rate (EPS) which stands for “Events Per seconds”;
    • Number of users accounts and devices; and
    • Number of Sources that reflect to UBA .

After collecting the above information, the UBA engineer will be able to tell how may UBA nodes need to run to get the best performance using the below table:

  • Confirm Data CIM requirement.  For best practice, all data sources for UBA should go through CIM before going into UBA . For more information about Data CIM please refer to this Aditum article here .
  • Identify and collect HR data.  The PS engineer will work side by side with you to get the HR data normalized and ingested into UBA. This includes :
    • Identify the best source of HR data like LDAP , OKTA, etc.
    • Identify how many domains the users have within the organization.
    • Normalize the HR data so that each user would have a unique Employee ID, regardless of how may accounts they may have.
  • Identify the best source of the assets and devices.  All devices information should be provided to UBA, so that UBA can learn the device information like IP category, priority and name. UBA will associate devices to users and analyses activities accordingly.
  • Open all the required ports between UBA and Splunk platforms for smooth communication .
  • Confirm resources availability for the UBA installation.  UBA is very sensitive to resources and it aggressively uses them, so we need to make sure that we have the right resource for the best performance.  Please refer to Splunk’s documentation here for requirement details. 

Where can we install UBA ?

UBA can be installed in a single server or in a cluster of nodes, depending on the sizing and planning above. UBA can be installed on the following platforms:-

Other than data sources, what information do I have to provide to UBA?

In order to let UBA learn the organization operation and log flows perfectly, and in order to make it understand normal internal activities vs anomalies, it is essential that we provide the following information to UBA during the installation:

  • Internal IP ranges of the organization. This will include any internal or external subnets that are owned by the organization.
  • Associated offices geo locations.
  • Default office location like the organization HQ.
  • List of competitors, This is an optional step for a certain threat models only.
  • AD Domains in use for all the organization devices.
  • IP address for the internal and external scanners.

What happens after installation and configuration completed?

Now it is time to provide the data sources to UBA.  The PS engineer will start creating the data sources using a scheduled job to fetch the data from the Splunk platform and ingest it into Splunk.  This task may include CIM work on the data sources in Splunk, as we must make sure that all data should be ingested cleanly in order to ensure the UBA models working as expected.

Is there any data sources order for data ingestion into UBA?

The first data sources we would have to ingest into UBA are , HR data and Assets , after ingesting those data sources, we will validate those data and make sure that they look as expected , like , make sure HR data has all the required information, it is normalized and multiple accounts for the same user are bonded into a unique Employee ID.

After ingesting and validating those data source, there is no order preferred to ingest the other data sources.

How UBA will Work afterwards?

After we have ingested all the data sources and validate that all jobs are being ingested properly, we will now let UBA do its work on its own, meaning that we will leave UBA for about 6 weeks to run independently. during that time, the jobs will be running on the schedule and UBA will keep monitoring the users and assets behavior and then will create a base line for these activities. So anything out of this baseline will be considered an anomaly.

What is expected from the UBA engineer to do after the baseline period is completed?

After the baseline period is completed, the engineer will engage again, and complete the following steps: –

  • Validate the UBA is healthy and has no warnings or errors
  • Validate that all data sources are still running as expected.
  • Validate that devises and HR data is still available and valid.
  • Validate the anomalies created and work with the client to create actions rules that will delete the false positive anomalies.
  • Add any white/black listing for domain, users, and IPs.
  • Have a knowledge transfer session with the client.

About Aditum

Aditum’s Splunk Professional Services consultants can assist your team with best practices to optimize your Splunk deployment and get more from Splunk.

Our certified Splunk Architects and Splunk Consultants manage successful Splunk deployments, environment upgrades and scaling, dashboard, search, and report creation, and Splunk Health Checks. Aditum also has a team of accomplished Splunk Developers that focus on building Splunk apps and technical add-ons.

Contact us directly to learn more.

Shawn Al-Atroshi
Latest posts by Shawn Al-Atroshi (see all)
Share this Article

Please Login to Comment.