Re retrospection - I’ve seen that Enterprise/ES comes equipped with basic statistic eval options which I can use to lets say generate a trend plot on ssh activity for March to May can I pull the March-May data into UBA to start "training" on the existing data? Thats the only open question on my side (at this stage of the project :) ). Condensed data relevant to the mere learning process will be kept, we will not need to double our 100TB log lake UBA will need a considerable "working buffer" to receive, manipulate and learn on the raw data. Thanks for the detailed comment - highly appreciated! UBA does have some historical analysis dashboards, but it's all just reporting against the metadata UBA keeps for it's streaming models, not against the raw events.Īlso be aware that UBA takes 6-12 weeks of learning before it will produce much of use (the actual time period will vary depending on your organisation). Maybe think of UBA as finding weird patterns of events that you should then go and investigate via ES. So ES is still the primary historical analysis tool. UBA doesn't really keep historical raw events, just the meta-events that UBA derives from the raw events that it ingests. Please don't try and undersize UBA, as it can easily get into resource starvation if it doesn't have enough nodes. For 3 nodes, the total disk space required is ~5TB. I would suspect either 1 or 3 nodes for 100GB/day, but that's guessing based on previous installs I've done - you need to do the pre-analysis to figure out correct sizing. When that is decided, the storage is decided for you. You only need to decide the number of nodes, which is based on a combination of EPS, number of active identities and devices being analysed and the number of data sources.
#Splunk uba documentation install#
Ideally you can install on VMWare or AWS and use the appliances that Splunk provides for these platforms. One primary node is designated as "management", but you have no need to worry about or manually control any other node functions. You just install the UBA cluster and it's services are distributed automatically. Separate installation of management/batch/streaming nodes But it is also pretty much my favourite Splunk product in terms of the interesting security indicators it will produce in most organisations. UBA is a bit complex to explain, a bit tricky to implement, and in the past has been a bit temperamental to run (although this is much better lately). That said, this still makes me fairly far from being a neutral party. I've implemented UBA a number of times for my own clients and as a sub-contractor to Splunk PS, so I can try and give you some general help to understand the product more fully. UBA has a few curly bits to deal with as you implement it. Would really appreciate some real world insight here without having to go all-in on resorting to your friendly sales consultant - no offence :)Īs per other comments, I would suggest getting Splunk PS on this one. Other vendors/solutions more or less demand the latter - additional “data lake” (double ye storage) on HDFS or Elastic being worked on by Spark and Kafka. How does one go about analyzing historical data residing in ES? Within ES or data being pulled/duplicated into UBA? The data being sent to UBA - will it only be used for drive-through analysis by the various ML models and discarded afterwards? If not, will we need to address an additional storage demand of x% the ES volume with x being. What sort of storage demand will we need to take into consideration? All relevant data ingested into ES will need to be forwarded to UBA instance(?).Separate installation of management/batch/streaming nodes.What I have gathered so far (pls, pls correct me if I’m wrong with some of the points) for Splunk UBA: Next up is comparing and contrasting U(E)BA functionality.ĮS will be handling a medium-sized environment with an expected daily ingress volume of 100GB/day, varied retention periods of up to 180d. Currently in the middle of yet another SIEM selection/eval project, with Splunk ES definitely among the finalists of the pre-trials.
0 kommentar(er)
