Roles and knowledge objects in UEBA for Splunk Enterprise Security

User and entity behavior analytics (UEBA) uses the existing users and roles in Splunk Enterprise Security to provide role-based permissions for UEBA knowledge objects. The following roles are available in the Splunk platform or Splunk Enterprise Security by default:

admin
sc_admin
ess_admin
ess_analyst
ess_user

You can assign users in your organization these roles based on the UEBA access they provide.

Knowledge objects for UEBA

UEBA defines specific permissions for knowledge objects that power behavioral analytics in your environment. These permissions ensure that appropriate users can access, configure, and manage UEBA functionality based on their roles.

The following table explains how knowledge objects are used in UEBA:


Knowledge object	Description for UEBA	Read and write access for roles
Saved searches	Includes behavior-based detection rules and their corresponding summarization, consolidation, feature, and scoring searches	read: all write: admin, sc_admin, ess_admin
KV Store collections	Tracks feature values, related identities and related assets.	read: admin, sc_admin, ess_admin write: admin, sc_admin, ess_admin
Search macros	Helps encapsulate data mapping functions, transform field values, calculate features, and score events	read: admin, sc_admin, ess_admin, ess_analyst, ess_user write: admin, sc_admin, ess_admin
Transforms	Allows the collections to be used by SPL	read: all write: admin, sc_admin
Views	Allows access to UEBA dashboards	read: admin, sc_admin, ess_admin, ess_analyst, ess_user write: admin, sc_admin, ess_admin

Roles to assign for UEBA

The following table explains the UEBA capabilities available for each Splunk Enterprise Security role:


Role	Capabilities for UEBA
ess_admin	Configure, modify, and manage all UEBA content; edit searches; edit collections; edit macros; edit dashboard; can view lookups that track users, devices, and feature values
ess_analyst	View and use UEBA dashboards; execute macros in searches; view saved searches Cannot modify configurations; cannot view lookups that track users, devices, and feature values
ess_user	View and use UEBA dashboards; execute macros in searches; view saved searches Cannot modify configurations; cannot view lookups which track users, devices, and feature values

Troubleshooting access permissions

The following table explains how to resolve access permission issues you might find:


Issue	Solution
Cannot view UEBA System dashboards	Inherit one of the following roles: `ess_admin, ess_analyst, ess_user`
Macros not available in searches	Inherit one of the following roles: `ess_admin, ess_analyst, ess_user`
Cannot modify UEBA detections	Inherit one of the following roles: `admin, sc_admin, ess_admin`
Collections not accessible	Inherit one of the following roles: `admin, sc_admin, ess_admin`