Review findings generated by behavior-based detections

Review findings in the ba_test and risk indexes to see the findings generated by behavior-based detections. You can validate them using the Risk analysis dashboard or a Splunk search.
Note: UEBA behavior-based detections can take up to 30 days to produce anomalies. The ba_test index is only available for UEBA cloud deployments.
  1. In Splunk Enterprise Security, select Analytics then Security intelligence and then Risk analysis.
  2. In the Index drop-down menu, select Test index to see UEBA findings in the ba_test index. Or, select Risk index to see UEBA findings in the risk index. UEBA findings in the test index are only available in cloud deployments.
  3. (Optional) You can also run the following search to see findings generated by behavior-based detections:
    index IN (ba_test, risk) source="UEBA -*"| stats sum(risk_score) as finding_score, dc(risk_object) as asentities, dc(normalized_risk_object) as normalized_entities,count by source index| table source index normalized_entities entities count finding_score| sort +count, +risk_score