Installing the UEBA Content App for Splunk Enterprise Security

UEBA and the UEBA Content App

User and entity behavior analytics (UEBA) is available by default in Splunk Enterprise Security Premier Edition for both cloud and on-premises deployments. You do not need to install UEBA to access UEBA dashboards and other capabilities.

For users on an on-premises deployment of Splunk Enterprise Security, you can download and install the UEBA Content App to extend the functions of UEBA and access more behavior-based detections.

Prerequisites for using UEBA in Splunk Enterprise Security

Complete the following before using UEBA functionality in Splunk Enterprise Security:


Task	Documentation
Verify compatibility.	UEBA compatibility
Grant permissions to users who need UEBA access.	Roles and knowledge objects in UEBA for Splunk Enterprise Security
Collect and extract data in the Asset and Identity Framework.	Configure asset and identity data for UEBA in Splunk Enterprise Security.
Configure risk-based alerting.	Risk scoring in Splunk Enterprise Security
Verify sourcetypes required for UEBA.	Required sourcetypes for behavior-based detections

Accessing UEBA in Splunk Enterprise Security

There is no manual pairing or installation process required to access UEBA in either cloud or on-premises deployments of Splunk Enterprise Security (ES). If your organization has Splunk Enterprise Security Premier Edition, then UEBA features, such as new dashboards, detections, and analytics, are automatically activated. You can start using UEBA features in your environment.

For support, reach out to your account management team.

For more UEBA detection content, you can install the UEBA Content App.

Note: If you customized your navigation bar in earlier versions of Splunk Enterprise Security, reset it after upgrading to version 8.x to see the UEBA dashboards. This reset is only required once. See Customize the menu bar in Splunk Enterprise Security.

Installing the UEBA Content App for Splunk Enterprise Security on-premises deployments

To install the UEBA Content App for Splunk Enterprise Security on-premises, follow these steps:

Go to Splunkbase and log in with your Splunk.com ID. You must be a licensed user to download the product.
Download the UEBA Content App from Splunkbase.
Choose Download, and save the app file to your desktop.
Log in to the search head as an administrator.
Note: Install the UEBA Content App on the same search head as Splunk Enterprise Security.
On the Splunk Enterprise search page, select Apps > Manage Apps and select Install App from File.
Select Choose File and go to the UEBA product file.
Select Upload to install.

For instructions on installing the UEBA Content App in a search head cluster environment and for configuring the ueba_summaries index in an index cluster, see Install Splunk Enterprise Security in a search head cluster environment and Configure and deploy indexes for Splunk Enterprise Security.