All Apps and Add-ons

Does Splunk User Behavior Analytics (Splunk UBA) use span port to monitor the network or another way?

wanghe928
Explorer

It seems Splunk Enterprise Security supports span port monitoring, but I didn't find any information about Splunk UBA.

1 Solution

David
Splunk Employee
Splunk Employee

Absolutely UBA can support this, with a minor go-between. UBA pulls data in from Splunk, so we would typically expect to see Bro or Splunk Stream on the SPAN port, sending data into Splunk Enterprise which then UBA would pull. If you wanted to avoid the middle-man of Splunk Enterprise and go directly from SPAN to UBA, you'd need to run Bro which is third party open source software, but very effective and well understood. Bro writes to files, which you could then monitor with syslog-ng or rsyslog and send the events directly to UBA over UDP/TCP syslog. Obviously, depending on the volume of data and what you want to get out of it, you should probably have a deeper conversation with one of the Splunk engineers (full disclosure: I am one of them), but at a high level, you can get data from SPAN to UBA in a few different ways, and it's been done many times by customers.

View solution in original post

David
Splunk Employee
Splunk Employee

Absolutely UBA can support this, with a minor go-between. UBA pulls data in from Splunk, so we would typically expect to see Bro or Splunk Stream on the SPAN port, sending data into Splunk Enterprise which then UBA would pull. If you wanted to avoid the middle-man of Splunk Enterprise and go directly from SPAN to UBA, you'd need to run Bro which is third party open source software, but very effective and well understood. Bro writes to files, which you could then monitor with syslog-ng or rsyslog and send the events directly to UBA over UDP/TCP syslog. Obviously, depending on the volume of data and what you want to get out of it, you should probably have a deeper conversation with one of the Splunk engineers (full disclosure: I am one of them), but at a high level, you can get data from SPAN to UBA in a few different ways, and it's been done many times by customers.

wanghe928
Explorer

Hi David,

Thanks for your kind answer. As I understand it, UBA is not able to collect raw data but needs a indirection layer like Bro or Splunk Enterprise. My question is does Bro do the same thing as ArcSight? If we already have ArcSight in the environment and send the date from ArcSight to UBA, does it make any difference? Thanks in advance!

0 Karma

David
Splunk Employee
Splunk Employee

Depends on the data and what you want to do, but most likely if you have the data in ArcSight, you can pull it directly into UBA without much fuss. ArcSight (assuming UBA gets the CEF output) will act as a normalization layer, and make life easy for UBA. Not familiar with an ArcSight SPAN sensor myself, but so I can't speak personally to ArcSight vs Bro, but Bro will extract connection and application data (e.g., HTTP requests, Emails, etc.) while listening on a SPAN port, at pretty high speeds. Splunk Stream also does similar things -- both tools have a few unique pieces of functionality that the other doesn't and make themselves better for some use cases, but share similar core functionality.

Notably, these are all things that Splunk engineers are happy to help answer -- if you're working on a deployment like this, maybe you reach out to your SE? If you don't know who your SE is, I can reach out offline to set up a conversation.

0 Karma

wanghe928
Explorer

I sent email to ubainfo@splunk.com three days ago but did not get any reply yet, that's why I asked here. Could you let me know where can I find your email? We have some questions to be confirmed before the deployment. Thank you!

0 Karma

David
Splunk Employee
Splunk Employee

Glad we were able to connect offline, and please don't hesitate to email me if you have any further questions.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...