Configuration checklist for UEBA in Splunk Enterprise Security
Before you begin
(Optional) For users on Splunk Enterprise Security on-premises, you can install the UEBA Content App. If you want to install the UEBA Content App to access more UEBA detections, install it before completing this checklist. See Installing UEBA Content App for Splunk Enterprise Security.
Configuration checklist
As an admin, you can begin setting up UEBA using the following checklist. This table provides an overview of each setup task and its associated documentation link:
| Step number | Setup task | Documentation |
|---|---|---|
| 1 | Verify that UEBA detections are present in Splunk Enterprise Security. | View UEBA detections from UEBA |
| 2 | Verify that findings generated by UEBA detections are present in the test index.
Note: The test index, ba_test, is only in UEBA cloud deployments.
|
Review findings generated by UEBA detections |
| 3 | Verify that the UEBA dashboards are populated with data. | View UEBA dashboards |
| 4 | Create finding exclusions. | Create a finding exclusion rule using asset or user analysis |
| 5 | Create entity lists. | Add a new entity list |