View UEBA detections

Follow these steps to view UEBA detections from User and Entity Behavior Analytics (UEBA) in Splunk Enterprise Security:

1. In Splunk Enterprise Security, select Security content and then select Content management to view the list of detections.
2. To filter for UEBA detections, change the Type filter to UEBA detection.
3. Select a detection to view the detection details.
   Note: You can't edit or create UEBA detections on the Content management page. These detections are view only in Splunk Enterprise Security.
4. (Optional) In the Status column for the detection, use the drop-down menu to select On or Off. A detection that's turned off does not create any events in any index.
   Note: For UEBA cloud deployments, you can turn on a detection in either the test or risk index. By default, all cloud detections are turned on in the ba_test index. See Turn on or turn off UEBA detections in the risk or test index.
5. (Optional) In the Actions column for the detection, select the more icon ( ), and then select Manage finding exclusion rules. With finding exclusion rules, you can exclude risk for a given detection based on specified criteria. See Finding exclusions in Splunk Enterprise Security to create and manage finding exclusion rules.