由于Splunk UBA audit log 里面记录这个每个用户的登入情况,上面有具体的登入时间,还有操作命令等,所以这个日志对用户行为分析,还是不错的,例如,要是有哪个分析员删除了一个threat, 就可以跟踪,下面说说怎么吧UBA audit log 送到 Splunk ES:
Perform the following tasks to send audit events to the Splunk platform to be added to the _audit index.
1: Add or set the uba.sys.audit.push.splunk.enabled property in Splunk UBA.
2: Set up a search head or forwarder to receive data from Splunk UBA.
3: Configure the Splunk platform to receive data from the Splunk UBA output connector.
Perform the following steps in Splunk UBA to enable audit logs to be sent to the Splunk platform:
uba.sys.audit.push.splunk.enabled property in the /etc/caspida/local/conf/uba-site.properties file to true: