All Apps and Add-ons

Splunk UBA Data Source for Excessive Data Transmission


Hello all,

We have Splunk UBA and I'm trying to figure out some things. For the Excessive Data Transmission anomaly, I am showing the input as my Checkpoint firewall logs. It seems to be working as I get anomalies triggering.

My question is, where is UBA getting the amount of data transferred? When I look at the firewall logs themselves (both in the firewall log server and on Splunk) there doesn't seem to be any data relating to amount of data transferred.


0 Karma


There are a number of models within UBA which feed data to 'Excessive Data Transmission' Anomaly. You can verify the same in your env/configuration by going to "System" -> Data Availability and choose Excessive data transmission. This will show all your data sources involved/configured and you can then work backwards to see which of them have bytes, as this will be used for amount of transfer.

0 Karma

Path Finder

I have it coming in from various sources (not just FW). But if I had to guess it correlates the source to dest information and the data that is transferred within that session.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...