Send Splunk UBA audit events to Splunk ES

Send audit events from Splunk User Behavior Analytics (UBA) to Splunk Enterprise Security (ES) so that you can maintain a history of specific actions taken by analysts and hunters in Splunk UBA.

For example, if there is a need to re-examine a closed threat, you can use the audit history to determine which analyst closed the threat.

Perform the following tasks to send audit events to the Splunk platform to be added to the _audit index:

  1. Add or set the uba.sys.audit.push.splunk.enabled property in Splunk UBA.
  2. Set up a search head or forwarder to receive data from Splunk UBA.
  3. Configure the Splunk platform to receive data from the Splunk UBA output connector.

Note: The Splunk Add-on for UBA is not available for download on Splunkbase. The add-on is installed by default with Splunk Enterprise Security (ES). See How do I obtain the Splunk Add-on for Splunk UBA?

Add or set the uba.sys.audit.push.splunk.enabled property in Splunk UBA

Perform the following steps in Splunk UBA to enable audit logs to be sent to the Splunk platform:

  1. Set the uba.sys.audit.push.splunk.enabled property in the /etc/caspida/local/conf/uba-site.properties file to true: 
    uba.sys.audit.push.splunk.enabled=true
  2. Run the following command to synchronize the cluster: 
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  3. Run the following commands to restart Caspida services: 
    /opt/caspida/bin/Caspida stop
/opt/caspida/bin/Caspida start

Set up a search head or forwarder to receive data from Splunk UBA

You can choose to set up either a search head or a forwarder to receive data sent from Splunk UBA.

  • In Splunk UBA release 4.3.0 and lower, you can send data only to a Splunk search head.
  • In Splunk UBA release 4.3.1 and higher, you can send data to a Splunk search head or forwarder.

Perform the following steps to set up a search head to receive data from Splunk UBA:

  1. In Splunk Web, select Settings > Data Inputs.
  2. In the TCP row, click Add New.
  3. Enter 10008 in the Port field. This is the port configured to work with Splunk UBA.

Perform the following steps to set up a forwarder to receive data from Splunk UBA:

  1. Deploy the Splunk Add-on for Splunk UBA to the forwarder. See Deploy the Splunk Add-on for Splunk UBA.
  2. Configure the TCP input on the Splunk forwarder. See Get data from TCP and UDP ports in the Splunk Enterprise Getting Data In manual for information on how to configure a Splunk forwarder to receive a syslog input.

Configure the Splunk platform to receive data from the Splunk UBA output connector

The connection between Splunk UBA and the Splunk platform uses TCP-SSL by default. Set up the Splunk platform to accept the encrypted connection so that the Splunk platform can receive data from the Splunk UBA output connector.

Note: Splunk Cloud Platform customers must work with Splunk Cloud Platform Support to set up this connection.

The following procedure uses the Splunk default certificates and the global [SSL] stanza in the inputs.conf file. For better security, consider using your own certificates, or commercially signed certificates from a trusted certificate authority.

Steps on the Splunk Enterprise search head

Perform the following steps on the Splunk Enterprise search head. In a search head clustering environment, perform the changes on the search head that will receive UBA threats and anomalies:

  1. Create a local folder under $SPLUNK_HOME/etc/apps/Splunk_TA_ueba. For example: 
    cd /opt/splunk/etc/apps/Splunk_TA_ueba
mkdir local
cd local
  2. Create a file called inputs.conf and add the following stanza: 
    [tcp-ssl:10008]
listenOnIPv6 = no
index = ueba
sourcetype = ueba
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
  3. Restart Splunk Enterprise.
    1. In Splunk Web, select System > Server controls.
    2. Click Restart Splunk.
  4. Verify that SSL is enabled for port 10008 in $SPLUNK_HOME/var/log/splunk/splunkd.log, as shown in the following examples: 
    11-07-2019 15:07:42.661 -0800 INFO  TcpInputProc - Creating raw Acceptor for IPv4 port 10008 with SSL

    OR 

    02-28-2024 22:34:37.330 +0000 INFO  TcpInputConfig [3996510 TcpListener] - IPv4 port 10008 is reserved for raw input (SSL)
  5. Copy the root CA certificate from /opt/splunk/etc/auth/cacert.pem on the Splunk Enterprise instance to /home/caspida on the Splunk UBA management server.

    Note: If you use your own third-party certificate, copy that certificate file to /home/caspida on the Splunk UBA management server. Do not copy the root CA certificate from /opt/splunk/etc/auth/cacert.pem on the Splunk Enterprise instance.

Steps on the Splunk UBA management server

Perform the following steps on the Splunk UBA management server:

  1. Log in to the Splunk UBA management server as the caspida user.
  2. Ensure that $JAVA_HOME is set correctly on your system. Run the CaspidaCommonEnv.sh script to set this environment variable: 
    . /opt/caspida/bin/CaspidaCommonEnv.sh
  3. Import the rootCA certificate to the Java certificate store.

    Note: If you use your own third party certificate, replace ~/cacert.pem with that third party certificate in the following commands.

    On RHEL systems, use the following command: 

    sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/lib/security/cacerts -file ~/cacert.pem

    On other Linux systems, use the following command: 

    sudo keytool -import -alias "splunk es" -keystore $JAVA_HOME/jre/lib/security/cacerts -file ~/cacert.pem
  4. When prompted, type the keystore password and trust the certificate. The default keystore password is changeit.
  5. From the command line of the Splunk UBA management server, view the /etc/caspida/local/conf/uba-site.properties file to confirm the following parameter is set to "true" as shown:
    connectors.output.splunkes.ssl=true
  6. Restart Splunk UBA. Run the following commands on the Splunk UBA management server: 
    /opt/caspida/bin/Caspida stop-all
/opt/caspida/bin/Caspida start-all