Skip to main content

 

Splunk Lantern

Splunk User Behavior Analytics Owner's Manual

 

Splunk User Behavior Analytics (UBA) uses machine learning techniques to detect insider security threats and advance security attacks against a business and its IT infrastructure. These types of threats are very difficult to detect by other means.

Like any complex system, UBA requires regular maintenance for it to function optimally. Just as a car needs its oil changed regularly, UBA requires a specific set of tasks to be performed at regular intervals. The responsibility for performing these tasks rests with the owner of the individual implementation of Splunk UBA. This may be a team of people or a single individual. This manual describes the recommended ongoing maintenance tasks that the owner of a Splunk UBA implementation should ensure are performed to keep their implementation functional.

How to use this owner’s manual

Each task has a recommended schedule. The recommended frequency for a task can be anywhere from weekly to annually.

This manual does not require a deep understanding of Splunk UBA to follow, and the procedures are detailed in a manner that they should be able to be performed by anyone with a moderate technical understanding of IT systems and general domain knowledge in cyber security.

Maintenance schedule

These procedures are valid as of UBA version 5.3.0.

Tasks

  • Anomaly rule tuning. This activity involves assessing the output of the Splunk UBA anomaly models and identifying anomalies that are either inaccurate or irrelevant to the customer organization.
  • Sizing adherence checks. This activity assesses the current adherence to the UBA sizing guidelines for the UBA cluster and determines if a resize of the cluster is needed.
  • OS security patching. This activity covers the application of OS security patches to a UBA cluster as per Splunk best practices.
  • Back-up file directory cleanup. This task cleans out the backup directory of the UBA cluster to ensure that the incremental UBA backups do not fill up the node disk and subsequently compromise cluster functionality.
  • Data source integrity validation. This activity analyzes each data input for Splunk UBA to ensure the integrity of the log data being ingested and the overall health of the input process itself.

Schedule

The following schedule describes the time intervals that the provided maintenance procedures are recommended to be performed at.

Task This task is performed at least every: Expected duration:
Anomaly rule tuning Two weeks 45 minutes
Sizing adherence checks Three months 30 minutes
OS security patching Six months (see procedure notes for exceptions) 30 minutes
Back-up file directory cleanup Month 15 minutes
Data source integrity validation Week 45 minutes