All Apps and Add-ons

UBA user risk score

dellytaniasetia
Explorer

Hi

can I get user risk score in UBA from Splunk ES search command, given the user name.

Thanks,

0 Karma
1 Solution

David
Splunk Employee
Splunk Employee

Not directly, no. However, Splunk ES can ingest anomalies and threats, which can then impact the ES risk score. Out of the box, we will increase the ES risk score for any threats, and you could easily create a new correlation search looking for the anomalies (index=ueba uba_evt_type=anomaly if my memory serves) that would not create a notable event, but would create a risk entry. That would allow anomalies to also impact your ES risk score.

Does that seem like it might meet your needs?

View solution in original post

David
Splunk Employee
Splunk Employee

Not directly, no. However, Splunk ES can ingest anomalies and threats, which can then impact the ES risk score. Out of the box, we will increase the ES risk score for any threats, and you could easily create a new correlation search looking for the anomalies (index=ueba uba_evt_type=anomaly if my memory serves) that would not create a notable event, but would create a risk entry. That would allow anomalies to also impact your ES risk score.

Does that seem like it might meet your needs?

dellytaniasetia
Explorer

Hello,

How about to get daily dynamic lookup from UBA containing high-risk user? is it possible?

thanks again

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...