Welcome to Splunk UBA 5.4.1.1and 5.4.1

UBA version 5.4.1.1

Splunk UBA 5.4.1.1 is a patch release. Splunk UBA version 5.4.1.1 does not include any new features but does address a known issue with an output connector.

Note: This patch is only for 5.4.1 customers who connect their on-premises UBA with SplunkCloud, and who encountered an ES OutputConnector connectivity issue.

The fixed issue in this patch release is not included in UBA version 5.4.2, but will be available in UBA version 5.4.3. UBA version 5.4.3 is scheduled for release in late June 2025.

CAUTION: Users who require the fix included with the version 5.4.1.1 patch should not upgrade to version 5.4.2, but wait to upgrade to version 5.4.3.

UBA version 5.4.1

Splunk UBA 5.4.1 is a maintenance and patch release. See About Splunk User Behavior Analytics and release types for more information about the different types of Splunk UBA releases.

If you are new to Splunk UBA, review all the steps in the Splunk UBA installation checklist before installing Splunk UBA.

CAUTION: Lower versions of Splunk UBA reach End of Support on set timelines. For more information, see the Splunk Support Policy

Planning to upgrade from an earlier version?

If you plan to upgrade to this version from an earlier version of Splunk UBA, read the following documents before you get started:

See Upgrade Splunk UBA prerequisites and overview in the Install and Upgrade Splunk user Behavior Analytics manual for information you need to know before you upgrade.
Splunk UBA requires incremental upgrades from earlier versions. See How to install or upgrade to this release of Splunk UBA in the Install and Upgrade Splunk User Behavior Analytics manual for upgrade path information.

What's new in version 5.4.1

Splunk UBA version 5.4.1 includes the following features and changes:


Feature, enhancement, or change	Description
Operating System updates:	The 5.4.1 release supports the following operating systems: Ubuntu version 20.04 (upgrades only, not new installations). RHEL version 8.10 (new installations and upgrades). RHEL version 8.8 (new installations and upgrades). RHEL version 8.6 (upgrades only, not new installations). Oracle/Linux (OEL) version 8.10 (new installations and upgrades). Oracle/Linux (OEL) version 8.9 (new installations and upgrades). Oracle/Linux (OEL) version 8.8 (upgrades only, not new installations). For more information, see Operating system requirements in the Install and Upgrade Splunk User Behavior Analytics manual.
False Positive Suppression Model enhancement	A Large Language Model (LLM) connector is now available. When you use the LLM connector, the model adheres to the `thresholdRanking` parameter. This parameter defines the maximum number of false alerts it will classify. See False Positive Suppression Model in the Use Splunk User Behavior Analytics manual.
Powershell Threat Detection Model enhancements	Splunk UBA version 5.4.1 introduces multiple enhancements to support the latest Windows log formats. For details see the new Splunk blog post Onboarding Windows Events to Powershell Threat Detection in UBA. To learn how to verify that PowerShell events are being accurately collected on your Windows machines see Configure PowerShell logging to see PowerShell anomalies in Splunk UBA.

Splunk UBA external dependencies

You can download a PDF file listing the external dependencies required to install Splunk UBA:

Splunk UBA External Dependencies

Do not independently upgrade the following UBA-dependent components to avoid impacting UBA operations:

docker
hadoop
hive
impala
influxdb
kafka
kubernetes
nodejs
openjdk
postgresql
protobuf
redis
spark
zookeeper

Documentation