Integrate Splunk ES and Splunk UBA with the Splunk Add-on for Splunk UBA
Use the Splunk Add-on for Splunk UBA to integrate Splunk Enterprise Security (ES) and Splunk User Behavior Analytics (UBA).
Note: The Splunk Add-on for UBA is not available for download on Splunkbase. The add-on is installed by default with Splunk Enterprise Security (ES). See How do I obtain the Splunk Add-on for Splunk UBA?
You can integrate Splunk UBA and Splunk ES to share the following types of data:
- Send Splunk UBA anomalies and threats to Splunk ES as notable events.
- Pull notable events from Splunk ES to Splunk UBA.
- Send Splunk UBA audit events to Splunk ES.
- Send Splunk UBA user and device association data to Splunk ES.
For more information, see Viewing data from Splunk UBA in Enterprise Security in Use Splunk Enterprise Security.
CAUTION: Use Splunk ES to close or reopen notable events in order to have the corresponding threats also be closed or reopened in Splunk UBA. Do not close or reopen threats in Splunk UBA.
Note: Splunk UBA version 5.4.0 and higher uses the HTTP Event Collector (HEC) to send events to the Splunk platform, and no longer uses the TCP inputs.conf stanza.