Installing UEBA for Splunk Enterprise Security
User and entity behavior analytics (UEBA) is available in Splunk Enterprise Security Premier Edition for both cloud and on-premises deployments.
Prerequisites for installing UEBA
| Task | Documentation |
|---|---|
| Verify compatibility. | UEBA compatibility |
| Grant permissions to users who need UEBA access. | Roles and knowledge objects in UEBA for Splunk Enterprise Security |
| Collect and extract data in the Asset and Identity Framework. |
Configure asset and identity data for UEBA in Splunk Enterprise Security. |
| Configure risk-based alerting. | Risk scoring in Splunk Enterprise Security |
| Verify sourcetypes required for UEBA. | Required sourcetypes for behavior-based detections |
Pairing UEBA for Splunk Enterprise Security cloud deployments
There is no manual pairing process required to access UEBA in Splunk Enterprise Security (ES) cloud deployments. If your organization has Splunk Enterprise Security Premier Edition, then UEBA features, such as new dashboards, detections, and analytics, are automatically activated. You can start using UEBA features in your environment without any additional configuration.For support, reach out to your account management team.
Installing UEBA for Splunk Enterprise Security on-premises deployments
To install UEBA for Splunk Enterprise Security on-premises, follow these steps:
- Go to Splunkbase and log in with your Splunk.com ID. You must be a licensed user to download the product.
- Download UEBA from Splunkbase.
- Choose Download, and save the app file to your desktop.
- Log in to the search head as an administrator.Note: Install UEBA on the same search head as Splunk Enterprise Security.
- On the Splunk Enterprise search page, select Apps > Manage Apps and select Install App from File.
- Select Choose File and go to the UEBA product file.
- Select Upload to install.
For instructions on installing UEBA in a search head cluster environment and for configuring the ueba_summaries index in an index cluster, see Install Splunk Enterprise Security in a search head cluster environment and Configure and deploy indexes for Splunk Enterprise Security.