Splunk® Enterprise Security

Detect Unknown Threats with Behavioral Analytics Service

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Search for an entity's risk score history from Splunk Mission Control

You can view the risk score history for any entity by querying the ueba_cloud_risk_score_events index from Splunk Mission Control. As a compliance auditor or threat hunter, you can use this information to view specific events that caused changes to the entity's risk score over any period of time.

Perform the following steps to view the entity risk score history:

  1. Click Search in the Splunk Mission Control menu bar.
  2. In the search field, enter the desired search:

The following example search returns the entity risk score history for a device named host101:

| from ueba_cloud_risk_score_events | where entityPrimaryArtifact="host101"

The following example search returns the risk score events with the last 10 minutes:

| from ueba_cloud_risk_score_events | where earliest=-10m AND latest="now"

See Search in Splunk Mission Control in the Triage and Respond to Notables in Splunk Mission Control manual for more information about using search in Splunk Mission Control.

Last modified on 10 January, 2022
Search for detections from Splunk Mission Control   Delete your behavioral analytics service data

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters