Search for enriched events from Splunk Mission Control
Behavioral analytics service enriches raw events with additional metadata using identity resolution and assets and identities data from Splunk Enterprise Security (ES), such as mapping IP addresses to host names, and human names with user IDs. These events are stored in the ueba_cloud_enriched_events index on Splunk Cloud Platform Services for 90 days. See How behavioral analytics service enriches events using identity resolution and assets and identities data.
You can search the ueba_cloud_enriched_events index from Splunk Mission Control using the enriched data in the raw events. For example, perform the following tasks to find an event that originally had the IP address 10.10.10.10 and was enriched to include the host name host1:
- Click Search in the Splunk Mission Control menu bar.
- In the search field, enter the search:
| from ueba_cloud_enriched_events | where host="host1"
See Search in Splunk Mission Control in the Triage and Respond to Notables in Splunk Mission Control manual for more information about using search in Splunk Mission Control.
| Integrate risk analysis between Splunk ES and behavioral analytics service | Search for detections from Splunk Mission Control |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0
Download manual
Feedback submitted, thanks!