Send Splunk UBA audit events to Splunk ES
Send audit events from Splunk User Behavior Analytics (UBA) to Splunk Enterprise Security (ES) so that you can maintain a history of specific actions taken by analysts and hunters in Splunk UBA.
For example, if there is a need to re-examine a closed threat, you can use the audit history to determine which analyst closed the threat.
edit_token_http capability.Perform the following tasks to send audit events to the Splunk platform to be added to the _audit index:
- Add or set the uba.sys.audit.push.splunk.enabled property in Splunk UBA.
- Set up a search head or forwarder to receive data from Splunk UBA.
- Configure the Splunk platform to receive data from the Splunk UBA output connector.
Add or set the uba.sys.audit.push.splunk.enabled property in Splunk UBA
Perform the following steps in Splunk UBA to enable audit logs to be sent to the Splunk platform:
index=_audit sourcetype=uba_audit.- Set the
uba.sys.audit.push.splunk.enabledproperty in the/etc/caspida/local/conf/uba-site.propertiesfile totrue:uba.sys.audit.push.splunk.enabled=true - Run the following command to synchronize the cluster:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf - Run the following commands to restart Caspida services:
/opt/caspida/bin/Caspida stop /opt/caspida/bin/Caspida start
Set up a search head or forwarder to receive data from Splunk UBA
You can choose to set up either a search head or a forwarder to receive data sent from Splunk UBA.
- In Splunk UBA release 4.3.0 and lower, you can send data only to a Splunk search head.
- In Splunk UBA release 4.3.1 and higher, you can send data to a Splunk search head or forwarder.
Configure the Splunk platform to receive data from the Splunk UBA output connector
Send Splunk UBA audit events to Splunk ES by setting up an output connector. See, Send Splunk UBA anomalies and threats to Splunk ES as notable events. Sending UBA audit events to Splunk ES uses the same process as sending UBA anomalies and threats. It is not required to select Process Threats or Process Anomalies to send UBA audit events to Splunk ES.
Splunk UBA audit events can only be sent to the same Splunk ES deployment that Splunk UBA is sending anomalies and threats to. After following all the steps and configuring the output connector in Splunk UBA, Splunk UBA can forward UBA audit events to the specified Splunk ES deployment.
Steps on the Splunk Enterprise search head
Perform the following steps on the Splunk Enterprise search head. In a search head clustering environment, perform the changes on the search head that will receive the Splunk UBA threats and anomalies.
If you are using the default certificate provided with the Splunk Platform, copy the root CA certificate from /opt/splunk/etc/auth/cacert.pem on the Splunk Enterprise instance to /home/caspida on the Splunk UBA management server.
/home/caspida on the Splunk UBA management server. Do not copy the root CA certificate from /opt/splunk/etc/auth/cacert.pem on the Splunk Enterprise instance.If you are on Splunk Cloud, you must have the Splunk Universal Forwarder app installed.
- Go to the Splunk Universal Forwarder app home page.
- Select Download Universal Forwarder Credentials to get the
splunkclouduf.splUniversal Forwarder App file, as shown in the following image: - Untar the app and copy the
*.pemfile from the./defaultdirectory of the app to/home/caspidaon the Splunk UBA management server.CAUTION: Splunk Cloud issues new TLS certificates for Splunk Cloud deployments periodically. Step 3 must be repeated every time a new TLS certificate is issued. - Add
connection_host = ipto the HTTP Event Collector (HEC)inputs.confon the ES search head. For example:/opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf - The Splunk ES account being used for UBA-ES integration must have the
edit_token_httpcapability. - Port
8088must be open on the Splunk ES search head.
Splunk HTTP Event Collector setup
The Splunk HTTP Event Collector must be set up to send data from Splunk UBA to the Splunk Platform. See Set up and use HTTP Event Collector in Splunk Web in the Splunk Cloud Platform manual.
For Splunk Cloud users, Splunk UBA does not programmatically set up a HTTP Event Collector token. Use the Admin Config Service to set up a token. For steps, see Manage HTTP Event Collector (HEC) tokens in Splunk Cloud Platform in the Splunk Cloud Platform manual.
Refer to the following table for field name guidance:
| Field name | Value to enter |
|---|---|
name
|
SplunkES-UBA-Integration.v1
|
defaultSourcetype
|
ueba
|
allowedIndexes
|
ueba and risk
|
Create the new HTTP Event Collector token, and copy down the value of the token.
host and port which are used for the HTTP Event Collector and are unique to each Splunk Cloud deployment.Steps on the Splunk UBA management server
Perform the following steps on the Splunk UBA management server:
- Log in to the Splunk UBA management server as the caspida user.
- Ensure that
$JAVA_HOMEis set correctly on your system. Run theCaspidaCommonEnv.shscript to set this environment variable:. /opt/caspida/bin/CaspidaCommonEnv.sh - Import the rootCA certificate to the Java certificate store.
Note: If you use your own third party certificate, replace
~/cacert.pemwith that third party certificate in the following commands. If you are on Splunk Cloud replace~/cacert.pemwith the*.pemfileprovided from the Splunk Universal Forwarder app.On RHEL or OEL systems, use the following command:
sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -file ~/cacert.pemOn Ubuntu systems, use the following command:
sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/cacert.pemFor Splunk Cloud users, use the
*.pemfile copied previously from the Splunk Universal Forwarder in the Splunk Enterprise search head step.CAUTION: Splunk Cloud users must repeat this step each time a new TLS certificate is issued for their Splunk Cloud deployment. - When prompted, enter the keystore password and trust the certificate. The default keystore password is
changeit. - From the command line of the Splunk UBA management server, view the
/etc/caspida/local/conf/uba-site.propertiesfile to confirm the following parameters are set to "true" as shown:uba.splunkes.integration.enabled=trueconnectors.output.splunkes.ssl=true
- For threats generated in UBA to properly close in ES, you must specify the
uiServer.host=uba_management_node_host_nameparameter. This parameter can be set directly inuba-site.propertiesor be set within the UBA UI. Go to Settings, then Alerts, and then the Hostname of your Splunk UBA UI Server. - Customers with existing UBA-ES integrations must comment out or remove the previously configured
[tcp-ssl:10008]stanza from theSplunk_TA_uebainputs.conf on the Splunk ES search head to avoid having an unused listener. - If you are a Splunk Cloud user with custom configurations on your HTTP Event Collector (HEC), and to ensure the HEC URL format is correct, complete this step. Otherwise skip to step 8.
- SSH into the Splunk UBA management server.
- Open
/etc/caspida/local/conf/uba-site.properties. - Use the following HEC URL formats and port 443 to configure the output connector. Replace
<host>with the hostname of Splunk Enterprise Security:Cloud environment HEC URL format Amazon Web Services (AWS) http-inputs-<host>.splunkcloud.com Google Cloud Platform (GCP) http-inputs.<host>.splunkcloud.com FedRamp/ AWS GovCloud http-inputs.<host>.splunkcloudgc.com Add the following properties:
splunkes.hec.token.value = <token value of the HTTP Event Collector token> splunkes.hec.host = <HTTP Event Collector host URI> splunkes.hec.port = <HTTP Event Collector port>Example:
splunkes.hec.host=test.splunk.com splunkes.hec.token.value=c125bad8-b378-4fc9-861b-2d66096d2f86 splunkes.hec.port=443 - If you set the name of the HTTP Event Collector token to a value other than
SplunkES-UBA-Integration.v1, set thesplunkes.hec.token.keyfield to that name.
- Restart Splunk UBA. Run the following commands on the Splunk UBA management server:
/opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all