You can select multiple sourcetypes and map the sourcetypes to multiple categories. See Add data sources to Splunk UBA in test mode. To add the data source in test mode, leave the check box selected. If Splunk UBA detects full coverage on the sample events, no message is displayed. In this situation, return to the previous screen and remove DHCP as a category. In this example, the DHCP category was selected in the previous step but Splunk UBA's CIM validation shows that there is no coverage for this category based on sample events. When using Splunk Direct to create a data source, Splunk UBA performs CIM validation on a sample of events returned from the query and suggests the categories you should select based on the tags observed, specifies the coverage percentage, and provides recommendations. When creating a Splunk Direct data source with multiple formats, make sure the SPL ends with | fields * so all fields are returned to Splunk UBA from the Splunk platform. If you want to alias the source type to a more meaningful or accurate value, add an eval statement to the search to set the source type value to a custom value: |eval sourcetype="Your Custom Value" The source type in the Splunk platform appears on threats and anomalies in Splunk UBA. If you want, run the search in the Splunk platform to verify that the data output matches what you expect to see. Review the Splunk search created by the wizard. If needed, map the fields required by Splunk UBA to the matching fields in the Splunk platform data. The wizard automatically maps a field from the Splunk platform data to the corresponding field expected by Splunk UBA if it has the same name. Review the list of field mappings to make sure that fields are correctly mapped.Select the category for the data source types that you selected.Selecting Source Types can have a significant impact on the performance of the Splunk indexers. For example, select three different source types of data mapped to the Malware data model that map to the Host AV category in Splunk UBA. Select the check boxes for source types that all map to the same CIM data model and Splunk UBA category. ![]() You can select Source Types to view a list of all source types from the Splunk platform. Select Splunk Query and enter a search in the field to identify the source type. Micro-batch queries are not used for this search. This is a one-time search and is performed when the data source is added to Splunk UBA. Only events within the specified calendar window are retrieved. To add historical data from the Splunk platform, select Date Range and select a calendar date range.For example, specify 8h 30s to retrieve data for the past 8 hours and 30 seconds. To retrieve for a specific time window, select Live and Time Window and specify a time period.To continuously retrieve data using time-based micro batch queries, select Live and All time. ![]() Leave the default Connector Type of Splunk Direct.Type the username and password for the Splunk platform account.Ensure that port 8089 is accessible on the load balancer. If you have search head clustering configured and a load balancer is available, you can specify the load balancer host name to avoid a single point failure. Type a connection URL that matches the URL for your Splunk platform or Enterprise Security search head and management port, for example.The data source name must be alphanumeric with no spaces or special characters. Specify a name for the data source, such as SplunkEnterprise.Select a data source type of Splunk and click Next. ![]() Then choose New Data Source and complete the following pages in the wizard to configure the data source: In Splunk UBA, select Manage > Data Sources. Use Splunk Direct to add a CIM-compliant data source to Splunk UBAĪfter you determine the Splunk UBA categories that correspond to your CIM-compliant data, add the data to Splunk UBA. Add CIM-compliant data from the Splunk platform to Splunk UBAĪdd CIM-compliant data mapped to security-relevant data models from the Splunk platform to Splunk UBA.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |