All Apps and Add-ons

Splunk UBA Data Source for Excessive Data Transmission

JK42
Explorer

Hello all,

We have Splunk UBA and I'm trying to figure out some things. For the Excessive Data Transmission anomaly, I am showing the input as my Checkpoint firewall logs. It seems to be working as I get anomalies triggering.

My question is, where is UBA getting the amount of data transferred? When I look at the firewall logs themselves (both in the firewall log server and on Splunk) there doesn't seem to be any data relating to amount of data transferred.

Thanks

0 Karma

lakshman239
Influencer

There are a number of models within UBA which feed data to 'Excessive Data Transmission' Anomaly. You can verify the same in your env/configuration by going to "System" -> Data Availability and choose Excessive data transmission. This will show all your data sources involved/configured and you can then work backwards to see which of them have bytes, as this will be used for amount of transfer.

0 Karma

cmeisch
Path Finder

I have it coming in from various sources (not just FW). But if I had to guess it correlates the source to dest information and the data that is transferred within that session.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...