Splunk UBA Data Source for Excessive Data Transmis...

JK42 · ‎10-18-2018

Hello all,

We have Splunk UBA and I'm trying to figure out some things. For the Excessive Data Transmission anomaly, I am showing the input as my Checkpoint firewall logs. It seems to be working as I get anomalies triggering.

My question is, where is UBA getting the amount of data transferred? When I look at the firewall logs themselves (both in the firewall log server and on Splunk) there doesn't seem to be any data relating to amount of data transferred.

Thanks

lakshman239 · ‎07-30-2019

There are a number of models within UBA which feed data to 'Excessive Data Transmission' Anomaly. You can verify the same in your env/configuration by going to "System" -> Data Availability and choose Excessive data transmission. This will show all your data sources involved/configured and you can then work backwards to see which of them have bytes, as this will be used for amount of transfer.

cmeisch · ‎07-11-2019

I have it coming in from various sources (not just FW). But if I had to guess it correlates the source to dest information and the data that is transferred within that session.

Splunk UBA Data Source for Excessive Data Transmission

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation