Turn on or turn off behavior-based detections in the risk or test index

You can turn on or turn off behavior-based detections in two indexes: risk or ba_test. Turning on the detection allows it to generate findings in that index. By default, behavior-based detections for cloud deployments are turned on in the test index, ba_test.
  1. In Splunk Enterprise Security, select Security content and then select Content management.
  2. To filter for behavior-based detections, change the Type filter to Behavior-based detection .
  3. Select the link for the detection that you want to turn on or turn off.
  4. To turn on a detection, select Turn on in risk index or Turn on in test index for the index you want to generate findings in.
  5. To turn off a detection so that it doesn't create findings in any index, select Off.