Add a new entity list

Add entity lists to focus or exclude specific users and assets in UEBA dashboards, helping you streamline investigations and highlight relevant activity. You can dynamically generate UEBA entity lists in three ways: identity lookups, the category field, and through pattern matching of asset and identity names.
  1. In Splunk Enterprise Security, select Configure then UEBA.
  2. Select the left-side Entity lists tab.
  3. Select Add entity list and then select Assets or Identities.
  4. Enter a name for your list.
    Note: You must select a unique name between 3 and 100 characters. You can't use "uncategorized" as a name.
  5. Select the List condition to base the entity list on.

    • Source: Choose from existing sources in your asset and identity lookups.

    • Category: Choose from existing categories in your asset and identity lookups.

    • Pattern match: Enter a pattern to match against normalized_risk_object values.

  6. (Optional) In the Preview section, select Run to check how many entities satisfy the list conditions before saving the list. The previewed entities are based on those present in your asset and identity lookups.
  7. Select Add.

After you create an entity list, you can also create a finding exclusion rule based that entity list for more precise threat detection tuning. See Create a finding exclusion rule using the UEBA configuration page.