Splunk UBA deployment architecture

To scale Splunk User Behavior Analytics (UBA) in a distributed deployment, specific tasks are assigned to each physical server, or node, in a cluster. Each node then has specific services installed to support that task. The specific services installed on each node can vary depending on the size of your cluster. For example, in a 7-node deployment, Spark services are installed on node 7 only, while Hadoop services are installed on all nodes except for node 3.

In a single-node deployment, all services provided by the streaming and batch servers exist on the same node.

All nodes in your Splunk UBA deployment must meet the System requirements for Splunk UBA.

This image shows an example architecture diagram of a distributed Splunk UBA deployment. There are three layers in the image. The top layer shows a Splunk UBA management server and Splunk UBA nodes. The second later shows a streaming server and a batch server. The last layer shows multiple streaming processes under the streaming server, and multiple batch processes under the batch server.

Server Description
Management server The management server hosts the Splunk UBA web interface. You only need one management server.

Typical services installed on this server include the UI server, job manager master, InfluxDB server, PostgreSQL, Impala, and Zookeeper Quorum.

Streaming server Streaming servers are logical servers consisting of a collection of related streaming processes. A streaming server can exist on any single Splunk UBA node or across multiple nodes.

Streaming servers handle the data processing tasks for streaming models in Splunk UBA such as Web Beaconing Detection Model, Network Transport Model, Land Speed Violation Model, and Unusual Windows Events Sequences Model. Streaming servers analyze ingested data in real time and determine the impact of those events over a short time window, such as the past hour. Based on this analysis, streaming servers can produce a multitude of items in Splunk UBA, such as anomalies, indicators of compromise (IoCs), or analytics data.

Typical services installed on streaming servers include Kafka, Docker, Kubernetes, Zookeeper, and Redis. In Splunk UBA, select System > Models and click Streaming Models to view a complete list of available streaming models.

Batch server Batch servers are logical servers consisting of a collection of related batch processes. A batch server can exist on any single Splunk UBA node or across multiple nodes.

Batch servers handle the data processing tasks for batch models in Splunk UBA. Some anomaly batch models include Unusual Volume of Authentication Events per User Model, Network Scanning Detection Model, and Suspicious Privilege Escalation Model. Some threat batch models include Lateral Movement Threat Model and Threat Computation Task (for detecting threats from anomalies). Batch servers analyze ingested data over a larger time window, such as the last 24 hours, typically running overnight due to the need to process a large amount of data. All threat models in Splunk UBA run as batch models, taking into account the aggregation of data in Splunk UBA including the data cataloged by the streaming servers. Batch servers produce threats and anomalies in Splunk UBA.

Typical services installed on batch servers include Apache Spark and HDFS. In Splunk UBA, select System > Models and click Batch Models to view a complete list of available batch models.