Configuration checklist for UEBA in Splunk Enterprise Security
Before you begin
For users on Splunk Enterprise Security on-premises, you must install UEBA. See Installing UEBA for Splunk Enterprise Security.
Configuration checklist
As an admin, you can begin setting up UEBA after you finish the pairing process with your Splunk Enterprise Security cloud deployment or the installation process with your on-premises deployment. The following table provides an overview of each setup task and its associated documentation link:
| Step number | Setup task | Documentation |
|---|---|---|
| 1 | Verify that behavior-based detections are present in Splunk Enterprise Security. | View behavior-based detections from UEBA |
| 2 | Verify that findings generated by behavior-based detections are present in the test index. Note: The test index, ba_test, is only in UEBA cloud deployments. | Review findings generated by behavior-based detections |
| 3 | Verify that the UEBA dashboards are populated with data. | View UEBA dashboards |
| 4 | Create finding exclusions. | Create a finding exclusion rule using asset or user analysis |
| 5 | Create entity lists. | Add a new entity list |