Configuration checklist for UEBA in Splunk Enterprise Security
Before you begin
(Optional) For users on Splunk Enterprise Security on-premises, you can install the UEBA Content App. If you want to install the UEBA Content App to access more behavior-based detections, install it before completing this checklist. See Installing UEBA Content App for Splunk Enterprise Security.
Configuration checklist
As an admin, you can begin setting up UEBA using the following checklist. This table provides an overview of each setup task and its associated documentation link:
| Step number | Setup task | Documentation |
|---|---|---|
| 1 | Verify that behavior-based detections are present in Splunk Enterprise Security. | View behavior-based detections from UEBA |
| 2 | Verify that findings generated by behavior-based detections are present in the test index. Note: The test index, ba_test, is only in UEBA cloud deployments. | Review findings generated by behavior-based detections |
| 3 | Verify that the UEBA dashboards are populated with data. | View UEBA dashboards |
| 4 | Create finding exclusions. | Create a finding exclusion rule using asset or user analysis |
| 5 | Create entity lists. | Add a new entity list |