Splunk UBA Data Source for Excessive Data Transmis...

JK42 · ‎10-18-2018

Hello all,

We have Splunk UBA and I'm trying to figure out some things. For the Excessive Data Transmission anomaly, I am showing the input as my Checkpoint firewall logs. It seems to be working as I get anomalies triggering.

My question is, where is UBA getting the amount of data transferred? When I look at the firewall logs themselves (both in the firewall log server and on Splunk) there doesn't seem to be any data relating to amount of data transferred.

Thanks

lakshman239 · ‎07-30-2019

There are a number of models within UBA which feed data to 'Excessive Data Transmission' Anomaly. You can verify the same in your env/configuration by going to "System" -> Data Availability and choose Excessive data transmission. This will show all your data sources involved/configured and you can then work backwards to see which of them have bytes, as this will be used for amount of transfer.

cmeisch · ‎07-11-2019

I have it coming in from various sources (not just FW). But if I had to guess it correlates the source to dest information and the data that is transferred within that session.

Splunk UBA Data Source for Excessive Data Transmission

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!