Splunk UBA(User behaviour Analytics) give us the deep insight that what’s happening in our organization. It collects the detailed  data of the users which are present in the organization and give
Deep insight on the insider threat that our trusted users are doing at any instant.

The data we can call it as HR Data, it includes the details of the users like user eid, email, dept id, address, contact no, login and logout details.

When the data is onboarded in UBA, It checks the anomalies or threat is been detected associating with any user or device in the organization, It keeps a track of those anomalies and threats which are generating from the users or devices. The data which should be onboarded in UBA must be CIM Compliant to the Datamodel. UBA collects data from Splunk Enterprise or Splunk Enterprise Security and work on the analysis to find any anomalies and threats and send that events data back to Splunk ES to create use cases on that.

Prerequisites: The Data which must be onboarded in UBA must be already onboarded and can be searched in Search Head i.e. Splunk ES.

The index data must be CIM compliant to their specified Datamodel e.g. Authentication, Malware, Endpoint etc.

To make indexed Data CIM Compliant to Datamodel Authentication

Above we have index=mi_cs sourcetype=crowdstrike:flaconhost:json.We have to make the data CIM Compliant to Authentication Datamodel.

Above screenshot shows the Authentication Datamodel present in Settings -> Datamodel -> Authentication.

 To map the index=mi_cs data to Authentication Datamodel we have to index to the associated macro of the Authentication Datamodel which is `cim_Authentication_indexes`

 We can add that index by the help of Splunk Common Information Model App.

 Go to App -> Manage Apps -> Search for Splunk Common Information Model -> Set up

In Datamodel select Authentication datamodel and add index mi_cs in Indexes Whitelists and save it.

We have to create specific eventtypes and add tags to it, To get the data map in Authentication Datamodel. We have to add tag=authentication to get data map in Datamodel.

We created eventtype by search string for the data from index=mi_cs having only success and failure events and add authentication tag to the eventtype

To Validate we search index=mi_cs tag=authentication

Now data is populating on the basis of tag=authentication. Now we have to create field aliases, calculated fields or Field extraction to map the fields which are present in Datamodel and the field present in index=mi_cs, SO the data fields which present in mi_cs index which populate the values inside the Authentication datamodel Fields.

As per the fields names present in Authentication datamodel we have to rename those fields which are present in index=mi_cs, So the values will get map in Datamodel Fields.Once all the fields are mapped as present in Authentication datamodel. Check the datamodel query

Index=mi_cs data is mapped to Authentication datamodel.

To onboard Data in UBA, Login to UBA instance
Go to Manage -> Data Sources

To Create connection between Splunk ES and UBA to send logs

Clone or can create new Data source to onboard data

Add Connection Name and fill all the details and click next

Select the Timerange for All Time

Please add the splunk query to collect he logs from Splunk ES in UBA and click next

Note – To onboard Data from ES CIM compliant Datamodel to UBA, required fields and tags must be present. UBA Category has its own field similar to CIM Compliant Datamodel. To successfully onboard data in UBA required fields must be added along with tags and eventtypes. If in case in Datamodel mapping a certain field is not present in index which needs to be mapped with UBA datafields then we can keep the field blank i.e. in eval we can define | eval  protocol=”” if protocol field is not mapped in index data.

 Above splunk query will query the data from Splunk ES and onboard in UBA.It is important if fields are not mapped in Datamodel they must be kept blank while onboarding in UBA. The UBA will query hese query and map the data in UBA Datamodel.

Select the appropriate Datamodel Authentication for mapping the mi_cs data to Authentication Datamodel in UBA and select next.

We can see Data events are getting onboarded in UBA

We can see the EPS(Events Per Second) getting in UBA from CIM Compliant data from Splunk ES.

If you are still facing issue regarding Splunk UBA data onboarding , Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks, happy Splunking >😉