Use the dashboard to:

• Confirm that entity and asset data is being ingested correctly.
• Check whether MITRE ATT&CK mappings and annotations are configured as expected.
• Troubleshoot missing or unexpected risk scores and empty dashboard panels.

Accessing the Dashboard

To open and review the diagnostics dashboard:

1. From the Splunk Enterprise Security menu, go to Analytics then UEBA and then UEBA Diagnostics.
2. Review the available tabs:
   • Operational health: Displays health statuses for key UEBA components and shows whether each status is passing or failing.
   • Entity risk score (ERS): Provides visibility into the scoring process for entities, helping you confirm that risk data is being evaluated correctly.

Auditing MITRE ATT&CK Configuration

If the MITRE ATT&CK visualization or main UEBA dashboards appear empty, use the UEBA diagnostics dashboard to investigate potential data or configuration issues.

You can also run the following search in Splunk Enterprise Security to verify that detections include MITRE ATT&CK annotations:

index=risk
| fields - annotations*
| dedup source
| lookup correlationsearches_lookup _key AS source OUTPUTNEW annotations
| lookup ba_detections_lookup _key AS source OUTPUTNEW annotations
| eval annotations = mvindex(annotations, 0)
| eval mitre_id=coalesce(json_array_to_mv(json_extract(annotations, "mitre_attack")), "null")
| table source, mitre_id
            

A null value in the mitre_id field can indicate that:

• The detection has no MITRE ATT&CK annotations.
• Annotation data was not collected into correlationsearches_lookup or ba_detections_lookup.
• Permissions to access the risk index are missing.
• Detections are not turned on or have not produced findings.

Next Steps

• Ensure detections in Splunk Enterprise Security are annotated with MITRE ATT&CK data.
• Confirm that your user role has access to the risk index.
• Verify that detections are turned on and producing events as expected.