TTechclick ⚡ XP 0% All lessons
Splunk · SIEM · UBAInteractive · L1 / L2 / L3

Splunk UBA — Behaviour Analytics, ML Anomalies & Kill-Chain Threats

Splunk UBA watches every user and device, builds a baseline of normal behaviour using unsupervised machine learning, and then groups low-level anomalies into high-fidelity kill-chain threats before pushing them into Splunk Enterprise Security. This lesson maps the full pipeline — data in, ML models, anomaly scoring, threat correlation, and ES integration — so you can explain it in an interview and tune it in production.

📅 2026-06-20 · ⏱ 17 min · 4 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master Splunk UBA in 2026: how unsupervised ML profiles users and entities, converts anomalies into kill-chain threats, and feeds high-fidelity notables into Splunk Enterprise Security.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What UBA is

ML baselines, anomalies, and why rules alone fail.

 2

ML models

Streaming, batch, peer groups, entity risk scores.

 3

Kill-chain threats

Anomaly correlation across attack lifecycle phases.

 4

ES integration

Bidirectional sync, notable events, and tuning.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Can a rule-based SIEM alone detect a slow, credential-based insider threat?

Answered in What UBA is.

2. What does Splunk UBA call a cluster of related anomalies mapped to attack phases?

Answered in Kill-chain threats.

3. How does UBA push findings into Splunk Enterprise Security?

Answered in ES integration.

Most engineers think…

Most security engineers assume SIEM correlation rules are enough to catch insider threats: 'just write a rule for unusual login hours.' That picture breaks down the moment an attacker moves slowly, blends into normal hours, or uses stolen valid credentials.

Splunk UBA adds a behavioural layer on top of your SIEM. It ingests the same data, builds unsupervised ML baselines for each user and entity, spots deviations as anomalies, then clusters those anomalies across kill-chain phases into high-confidence threats. The result: analysts see five high-fidelity threats instead of fifty thousand raw events — and each threat already shows which kill-chain stages were hit.

① What Splunk UBA actually is — behavioural baselines, not rules

Traditional SIEM rules fire when an event matches a known pattern: 'five failed logins in a minute.' Splunk UBA takes a different approach. It ingests events — authentication logs, VPN sessions, DLP alerts, HR data, cloud activity — and uses unsupervised machine learning to build a personal baseline for every user and every entity (device, account, application). No pre-written rule, no labelled training set.

When behaviour drifts from that baseline — a user downloading ten times more data than usual, logging in from a new country at 2 a.m., or accessing systems peers never touch — UBA raises an anomaly. Anomalies are scored, time-stamped, and attached to the user or entity that generated them. The power is that UBA distils millions of raw events down to a few hundred anomalies per day, and then further to a handful of actionable threats.

Figure 1 — UBA pipeline — raw events to SOC threat
UBA condenses millions of events into a handful of actionable kill-chain threats before they reach the analyst queue.UBA pipeline — raw events to SOC threatIngestlogs, HR, DLP, cloudAggregateanalytics storeML modelbaseline + scoreAnomalyrisk-scored deviationThreatkill-chain correlated
UBA condenses millions of events into a handful of actionable kill-chain threats before they reach the analyst queue.
Quick check · Q1 of 10 · Understand

Why can Splunk UBA detect insider threats that rule-based SIEM correlation misses?

Correct: c. UBA uses unsupervised ML to profile normal behaviour for each user and entity, so it catches novel deviations — slow credential abuse, off-hours access — that no rule was written for. Rules can only match known patterns.
👉 So far: Splunk UBA = unsupervised ML baselines per user and entity, distilling millions of events to scored anomalies — no pre-written rules needed.

② ML models — streaming, batch and peer groups

UBA runs two model families. Streaming models process every event in real time — vital when sequence and timing matter, such as detecting a rapid privilege escalation or a burst of failed authentications followed immediately by a success. Batch models operate on aggregated events over a sliding window, re-training on recent history to re-score entity risk as behaviour shifts week to week.

Peer groups — the comparison engine

Both model families rely on peer groups. UBA builds four kinds: HR peer groups from Active Directory groups and management chains; Organisational Unit (OU) peer groups from AD OU structure; behavioural peer groups formed by clustering similar activity patterns; and device peer groups by network activity. A sales rep accessing source-code repositories is anomalous only if none of their behavioural peers ever do the same — peer groups make that judgement automatic.

Each entity accumulates an Entity Risk Score — the weighted sum of its active anomalies. Analysts use the risk score leaderboard to spot the highest-risk users before an alert even fires.

Figure 2 — UBA model layers
UBA stacks streaming and batch models on the analytics store to build anomalies, then correlates them into threats.UBA model layersThreat layerkill-chain correlation across phasesAnomaly layerscored deviations from ML baselineBatch modelssliding-window re-trainingStreaming modelsreal-time per-event detectionAnalytics storeaggregated events, configurable retention
UBA stacks streaming and batch models on the analytics store to build anomalies, then correlates them into threats.
📊
Entity Risk Score
tap to flip

The weighted sum of all active anomalies for a user or device. The risk leaderboard surfaces the highest-risk entities — analysts prioritise from here before alerts even fire.

🤖
Streaming vs Batch
tap to flip

Streaming models score every event in real time (sequence-sensitive). Batch models re-train on aggregated data over a sliding window to track shifting baselines week to week.

👥
Peer Groups
tap to flip

HR, OU, behavioural and device peer groups. A behaviour is anomalous only if none of an entity's peers share it — peers make ML context-aware and stop role-typical actions from firing alerts.

🔗
Kill-Chain Threat
tap to flip

UBA groups anomalies by entity and kill-chain phase. When multiple phases align for one user, it raises a named threat (e.g. Data Exfiltration by Compromised Account) with a full timeline of evidence.

Name the model types in an interview

Always distinguish streaming models (real-time, sequence-aware) from batch models (aggregated, sliding-window re-training) and explain that both depend on peer groups to make a behaviour anomalous relative to similar users — not just to the global population.

Quick check · Q2 of 10 · Remember

Which UBA model type is most important for detecting a burst of failed logins immediately followed by a success?

Correct: a. Streaming models process each event as it arrives and are sensitive to sequence and timing — essential for catching rapid event chains like failed-then-successful authentication bursts.
👉 So far: Two model types: streaming (real-time, sequence-sensitive) and batch (sliding-window re-training). Four peer group kinds (HR, OU, behavioural, device) make anomaly scoring context-aware.

③ Kill-chain threats — correlating anomalies across attack phases

An anomaly is a data point; a threat is a story. UBA maps each anomaly to a kill-chain phase — Reconnaissance, Delivery, Exploitation, Lateral Movement, Command & Control, Data Exfiltration, Persistence — and then looks for a user or device that has anomalies across multiple phases in a short window.

When the pattern aligns, UBA raises a threat with a name like Data Exfiltration by Suspicious User or Compromised Account — Lateral Movement. The threat bundles all contributing anomalies, shows the timeline, and assigns a threat score based on the severity and number of phases covered. A single threat represents what might have been twenty separate low-priority alerts in a rule-based SIEM.

Threats are the unit of work for the SOC. An analyst opens one threat, reviews the timeline of anomalies, sees which data sources confirmed each, and decides to investigate or dismiss — no need to pivot through raw logs to reconstruct the story.

Figure 3 — Kill-chain phases UBA maps anomalies to
Each anomaly is tagged to a kill-chain phase. A threat fires when one entity spans multiple phases.Kill-chain phases UBA maps anomalies toKill-ChainthreatReconnaissanceDeliveryExploitationLateral MoveExfiltrationPersistence
Each anomaly is tagged to a kill-chain phase. A threat fires when one entity spans multiple phases.
'One anomaly = one incident' misunderstanding

A single anomaly is a weak signal. Analysts who triage anomalies one-by-one burn out fast. The correct workflow is to let UBA correlate anomalies into kill-chain threats and work the threat queue. Tuning means adjusting peer groups and model weights — not suppressing individual anomaly types.

▶ Watch a compromised account get caught by kill-chain correlation

Step through how UBA moves from raw login events to a named kill-chain threat in ES. Press Play for the healthy detection path, then Break it to see the classic tuning failure.

① IngestAuthentication, VPN and cloud-storage events arrive for a finance analyst. UBA aggregates them into the analytics store.
② AnomalyThe analyst logs in from a new country at 02:00 IST and accesses source-code repos — neither matches her peer group baseline. Two anomalies are scored.
③ ThreatUBA correlates the two anomalies: off-hours geographic anomaly (Delivery phase) and sensitive-repo access (Exfiltration phase). A kill-chain threat 'Data Exfiltration by Suspicious User' fires.
④ ES notableThe threat is pushed to Splunk ES as a high-severity notable event. The analyst opens it in Incident Review — timeline, anomaly detail, and contributing data sources are pre-assembled.
Press Play to step through the kill-chain detection path. Then press Break it.
Quick check · Q3 of 10 · Apply

A UBA threat 'Data Exfiltration by Suspicious User' has fired on an employee. What does this mean for the analyst?

Correct: b. A UBA threat bundles multiple anomalies across kill-chain phases — in this case lateral movement and exfiltration — for one entity, with a timeline and evidence already assembled. The analyst works the story, not raw events.
👉 So far: A threat = multiple anomalies for one entity correlated across kill-chain phases (Recon, Lateral Move, Exfiltration). One threat replaces dozens of low-priority alerts.

④ Integration with Enterprise Security — bidirectional, not one-way

UBA and Splunk Enterprise Security connect bidirectionally. In the ES-to-UBA direction, notable events generated by ES correlation searches can be forwarded to UBA as additional signal — adding rule-based detections into the ML pipeline so UBA can factor them into anomaly and risk scoring. In the UBA-to-ES direction, UBA pushes threats (and optionally individual anomalies) to ES as notable events in the Incident Review queue.

Status synchronisation

When an analyst updates the status of a notable event in ES — Pending, In Progress, Resolved — that status is synchronised back to UBA, keeping both systems consistent without double-entry. The practical result: the SOC works entirely in ES while UBA acts as a silent behavioural enrichment layer, boosting the risk context of every alert it touches.

The interview line: UBA does not replace ES; it feeds it with pre-correlated, high-confidence threats that a rule alone could never produce. Tune UBA by adjusting anomaly model weights and peer-group composition — not by writing more SIEM rules.

Figure 4 — Rules-only SIEM vs SIEM + UBA
Adding UBA shifts the SOC from thousands of raw alerts to a short list of high-confidence, context-rich threats.Rules-only SIEM vs SIEM + UBASIEM rules onlyFires on known IOC patternsMisses slow insider movementThousands of low-priority alertsAnalyst rebuilds story manuallySIEM + UBAML baseline catches novelAnomalies correlated acrossFew high-confidence named threatsStory pre-built — timeline +
Adding UBA shifts the SOC from thousands of raw alerts to a short list of high-confidence, context-rich threats.

Priya at a Mumbai fintech faces this

The SOC is flooded with hundreds of low-severity UBA anomalies every day but zero threats are firing, so analysts ignore the anomaly feed entirely.

Likely cause

Peer groups were never configured — UBA is comparing every user to the global population, inflating anomaly scores for legitimate role-specific behaviour (finance users accessing large data exports).

Diagnosis

Check UBA peer group configuration. HR and OU peer groups are empty; behavioural clustering was disabled during deployment. Finance users are being compared to engineers and support staff.

UBA ▸ Configuration ▸ Peer Groups ▸ HR / OU / Behavioural
Fix

Enable HR peer groups using the Active Directory import, map OU peer groups to business units, and run behavioural clustering. Re-baseline over 2–4 weeks. Anomaly scores for role-typical behaviour drop; genuine outliers rise and form threats.

Verify

After re-baselining, the anomaly feed shrinks to dozens of high-confidence items per day and 2–3 kill-chain threats per week reach ES as notable events — analysts now work the threat queue instead of ignoring it.

Prove ES integration is live

After configuring UBA-to-ES integration, generate obvious off-hours access with a test account, confirm UBA raises an anomaly and threat, then verify the threat appears as a notable event in ES Incident Review. Status-sync it back to Resolved in ES and confirm UBA reflects the same status.

Quick check · Q4 of 10 · Analyze

An analyst resolves a notable event in Splunk ES that was pushed by UBA. What happens in UBA?

Correct: a. UBA and ES synchronise status bidirectionally. When an analyst updates a notable in ES to Resolved, that status is written back to UBA — no double-entry needed and both systems stay consistent.
👉 So far: UBA feeds ES bidirectionally: ES notables flow into UBA as signal; UBA threats push to ES as notable events; status changes sync both ways — no double-entry.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What kind of machine learning does Splunk UBA use to build behavioural baselines?

Correct: b. UBA uses unsupervised ML — it profiles normal behaviour without labelled data, which is why it can detect novel insider threats and compromised accounts that no pre-written rule covers.
Q6 · Understand

Which peer group type uses Active Directory management chains to group users?

Correct: d. HR peer groups are built from AD groups and management chains — they reflect the organisational reporting structure and are the most intuitive starting point for comparing users in similar roles.
Q7 · Apply

An analyst reviews a UBA kill-chain threat labelled 'Lateral Movement by Compromised Account'. Which anomaly phases are most likely correlated?

Correct: a. A kill-chain threat fires when one entity accumulates anomalies across multiple attack phases. For a Lateral Movement threat, UBA typically correlates Delivery-phase and Lateral Movement-phase anomalies for the same user or device.
Q8 · Analyze

Your UBA deployment generates hundreds of anomalies per day but no kill-chain threats ever fire. Most likely root cause?

Correct: d. Without peer groups, every role-typical behaviour appears anomalous against the global population. The result is hundreds of low-signal anomalies per day that never cluster into a coherent kill-chain threat — the classic misconfiguration.
Q9 · Evaluate

An interviewer asks: 'How would you reduce false-positive UBA threats in production?' Best answer?

Correct: b. The primary tuning lever is peer groups — they ensure comparison against like-for-like users. After peer-group setup, a 2–4 week baseline period settles scores, and model weight adjustment removes residual noise. Turning off models or adding ES rules before UBA undermines the whole behavioural layer.
Q10 · Evaluate

What is the primary benefit of bidirectional UBA–ES status synchronisation?

Correct: a. Bidirectional status sync means a status change in ES (e.g. Resolved) is written back to UBA automatically. Analysts work in one queue and both systems stay consistent — no double-entry, no divergent records.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is the difference between a UBA anomaly and a UBA threat? Then compare with the expert version.

Expert version: An anomaly is a single scored deviation from an entity's ML baseline — evidence that something unusual happened (off-hours login, access to a peer-group-atypical system). A threat is what UBA creates when it correlates multiple anomalies for the same user or device across two or more kill-chain phases within a time window — it is a named, timeline-backed incident like 'Data Exfiltration by Suspicious User' that tells the full attack story. Analysts work the threat queue, not the raw anomaly feed.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Anomaly (UBA)
A scored deviation from an entity's ML-learned behavioural baseline. Multiple anomalies correlated across kill-chain phases form a threat.
Threat (UBA)
A named, timeline-backed incident created by correlating anomalies across two or more kill-chain phases for the same user or entity.
Entity Risk Score
The weighted sum of all active anomalies for a user or device. High scores surface the riskiest entities before alerts are even raised.
Peer Group
A set of similar users or devices UBA uses as a comparison baseline — HR, OU, behavioural, or device — preventing role-typical behaviour from looking anomalous.
Streaming Model
A UBA ML model that processes every event in real time, sensitive to event sequence and timing.
Batch Model
A UBA ML model that operates on aggregated events over a sliding time window, re-training to track shifting behavioural baselines.
Kill-Chain Phases
Attack lifecycle stages (Recon, Delivery, Exploitation, Lateral Movement, C&C, Exfiltration, Persistence) that UBA maps anomalies to for threat correlation.
Bidirectional Sync
The UBA–ES integration where notable events and status changes flow both ways between UBA and Enterprise Security automatically.
Analytics Store
UBA's dedicated aggregated event store that reduces raw event volume for efficient ML model processing and configurable data retention.

📚 Sources

  1. Splunk — About Splunk User Behavior Analytics (v5.4.4). help.splunk.com/en/security-offerings/splunk-user-behavior-analytics
  2. Splunk — Splunk UBA Models Overview (v5.4.5). help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/use-splunk-user-behavior-analytics/5.4.5
  3. Splunk — User and Entity Behavior Analytics (UEBA) for Enterprise Security. splunk.com/en_us/products/user-and-entity-behavior-analytics.html
  4. Splunk Blog — Elevating Security Intelligence with Splunk UBA's Machine Learning Models. splunk.com/en_us/blog/security/elevating-security-intelligence-with-splunk-uba-s-machine-learning-models.html
  5. Splunk Lantern — Getting Started with UBA. lantern.splunk.com/Security/Getting_Started/Getting_started_with_UBA
  6. Splunk Blog — User and Entity Behavior Analytics (UEBA) For Enterprise Security. splunk.com/en_us/blog/learn/user-entity-behavior-analytics-ueba.html

What's next?

Got UBA covered? Next, go deep on Splunk Enterprise Security correlation searches, risk-based alerting, and how the Risk Framework turns every signal — including UBA threats — into a risk score that drives the SOC queue.

Next · All interview lessons → Practice on exam.techclick.in →