Understanding the UEBA Dashboards
User and Entity Behavior Analytics (UEBA) dashboards provide insight into user and asset activity, behavioral anomalies, and associated risk scores.
The UEBA dashboards use detections and findings from the Risk data model to help you identify abnormal behavior and prioritize investigations. They combine high-level visualizations and detailed analysis views so you can monitor trends, investigate suspicious activity, and understand why a user or asset’s risk score increased.
Note: You cannot modify the underlying SPL or detection logic of UEBA detections.
UEBA Dashboards Overview
The following dashboards are available in the UEBA app:
| Dashboard | Description |
|---|---|
| UEBA Overview | Displays high-level behavioral metrics and overall entity risk across your environment. Use it to identify entities with the highest recent activity or anomalous behavior. |
| User Analysis | Provides detailed behavioral and contextual information for a specific user, including risk score, connections, detections, and investigations. |
| Asset Analysis | Displays the same analytical panels as the User Analysis dashboard but focused on assets such as servers, endpoints, or devices. |
| Entity Risk Score | Shows the current and historical risk score for an entity, with detailed contributions by factor and MITRE ATT&CK tactic. |
| Entity Detection Activity | Lists detections, findings, and associated scores for the selected entity. Includes options to view risk details, finding exclusions, and UEBA baselines. |
| All Related Investigations | Displays investigations from Mission Control that are linked to the selected user or asset. |
Tip: It is normal for dashboards to appear empty right after setup. Risk calculations and lookups might take 10–30 minutes to populate. If no data appears after one hour, verify findings in
index=risk before contacting Splunk Support.Key Panels in the User and Asset Analysis Dashboards
| Panel | Description |
|---|---|
| Entity Risk Score | Displays the entity’s calculated risk score for the past seven days with a trend sparkline. Select Show calculation to view score contributions and MITRE ATT&CK mappings. |
| Entity Details | Shows enriched information from the Assets and Identities tables to help you understand where the entity fits within your organization. |
| Connection Panels | Display related users and assets based on recent activity. Select Show related users and connections to explore additional relationships. |
| Detection Heat Map | Visualizes the number of findings per detection. Hover over a data point for additional context about the findings. |
| Entity Detection Activity | Lists detections with finding counts, score contributions, and first/last seen timestamps. Use the Actions icons to view risk details, open finding exclusions, or display UEBA baselines. |
| Contributing Risk | Shows details about findings or intermediate findings contributing to the overall risk score. |
| Finding Exclusions | Opens the Finding Exclusions workflow to exclude intermediate findings from a detection. |
| UEBA Baseline Visualizations | Displays an interactive visualization of the UEBA model baseline and anomalies. |
| All Related Investigations | Lists current and past investigations associated with the selected user or asset, sourced from Mission Control. |
| Look-back Period | Lets you adjust the time range for data shown in dashboard panels (for example, Last 7 days or Last 30 days). |