Configure asset and identity data for UEBA in Splunk Enterprise Security
UEBA uses the Asset and Identity Framework in Splunk Enterprise Security to link detections to the correct users and devices. Asset and identity data powers entity lists, enriches detections with context, and ensures that risk scores are calculated for the right entities.
-
Ensure that your Asset and Identity Framework is set up and populated with accurate data. You can collect this information from internal sources or through integrations like the Splunk Supporting Add-on for Active Directory. See Collect and extract asset and identity data in Splunk Enterprise Security.
-
Verify that at least one identity source is configured and turned on in the Asset and Identity Management page. See Manage identity lookup configuration policies in Splunk Enterprise Security.