All Apps and Add-ons

Splunk UBA Data Source for Excessive Data Transmission


Hello all,

We have Splunk UBA and I'm trying to figure out some things. For the Excessive Data Transmission anomaly, I am showing the input as my Checkpoint firewall logs. It seems to be working as I get anomalies triggering.

My question is, where is UBA getting the amount of data transferred? When I look at the firewall logs themselves (both in the firewall log server and on Splunk) there doesn't seem to be any data relating to amount of data transferred.


0 Karma


There are a number of models within UBA which feed data to 'Excessive Data Transmission' Anomaly. You can verify the same in your env/configuration by going to "System" -> Data Availability and choose Excessive data transmission. This will show all your data sources involved/configured and you can then work backwards to see which of them have bytes, as this will be used for amount of transfer.

0 Karma

Path Finder

I have it coming in from various sources (not just FW). But if I had to guess it correlates the source to dest information and the data that is transferred within that session.

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...