Auditing UEBA with dashboards in Splunk Enterprise Security

UEBA diagnostic dashboard

The UEBA diagnostics dashboard helps you identify and resolve issues that might affect how data is processed or displayed in your UEBA environment. It provides visibility into entity risk scoring, asset and identity ingestion, and MITRE ATT&CK configurations.

Use the dashboard to:

• Confirm that entity and asset data is being ingested correctly.
• Check whether MITRE ATT&CK mappings and annotations are configured as expected.
• Troubleshoot missing or unexpected risk scores and empty dashboard panels.

Access the UEBA diagnostic dashboard

To open and review the diagnostics dashboard:

1. From the Splunk Enterprise Security menu, go to Analytics then Audit and then Entity risk score diagnostics.
2. Review the available tabs:
   • Operational health: Displays health statuses for key UEBA components and shows whether each status is passing or failing.
   • Entity risk score (ERS): Provides visibility into the scoring process for entities, helping you confirm that risk data is being evaluated correctly.

Audit the MITRE ATT&CK configuration

If the MITRE ATT&CK visualization or main UEBA dashboards appear empty, use the UEBA diagnostics dashboard to investigate potential data or configuration issues.

You can also run the following search in Splunk Enterprise Security to verify that detections include MITRE ATT&CK annotations:

index=risk
| fields - annotations*
| dedup source
| lookup correlationsearches_lookup _key AS source OUTPUTNEW annotations
| lookup ba_detections_lookup _key AS source OUTPUTNEW annotations
| eval annotations = mvindex(annotations, 0)
| eval mitre_id=coalesce(json_array_to_mv(json_extract(annotations, "mitre_attack")), "null")
| table source, mitre_id

A null value in the mitre_id field can indicate that:

• The detection has no MITRE ATT&CK annotations.
• Annotation data was not collected into correlationsearches_lookup or ba_detections_lookup.
• Permissions to access the risk index are missing.
• Detections are not turned on or have not produced findings.

UEBA System dashboard for on-premise deployments

The UEBA System dashboard provides visibility into User and Entity Behavior Analytics (UEBA) detections for on-premise deployments of Splunk Enterprise Security Premier Edition, specifically for Rare Device* and Unusual Volume* detections. This dashboard provides a snapshot of scores for users and devices tracked within the previous 24 hours. Use this dashboard to verify that a detection is active and processing data, even if an intermediate finding is not generated.

Access the UEBA System dashboard

The UEBA System dashboard is not currently available through the standard Splunk Enterprise Security navigation menu. To access the dashboard, you must navigate to the URL directly: (instance)/en-US/app/SplunkEnterpriseSecuritySuite/ueba_system.

Interpret the “Rare Device Feature Scores (Yesterday)” panel

The Rare Device Feature Scores (Yesterday) panel displays login activity data. Note the following when reviewing this panel:

• Row structure: Each row represents a specific login activity rather than a unique user or device combination. It is normal to see multiple rows for the same user and device.
• Feature scores: The model tracks various features and assigns numeric scores. A lower score indicates higher rarity.
• Rarity threshold: Values less than 0.002 are considered rare and are highlighted in red in the table.
• Risk events: The behavior_rarity score represents the count of rare features for an event. However, a high score does not guarantee an intermediate finding, as the system applies additional logic to reduce false positives.

Interpret the “Unusual Volume of *” detection panels

The panels in the Unusual Volume of * display tracks user activity and baseline thresholds.

• Row structure: Each row represents a specific user and the feature being tracked.
• Baseline comparison: The table displays the calculated feature value and the threshold (individual baseline). If the tracked feature value exceeds the threshold, the finding is considered potentially risky.

Next Steps

• Ensure detections in Splunk Enterprise Security are annotated with MITRE ATT&CK data.
• Confirm that your user role has access to the risk index.
• Verify that detections are turned on and producing events as expected.