Splunk® Enterprise Security

Detect Unknown Threats with Behavioral Analytics Service

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Search for enriched events from Splunk Mission Control

Behavioral analytics service enriches raw events with additional metadata using identity resolution and assets and identities data from Splunk Enterprise Security (ES), such as mapping IP addresses to host names, and human names with user IDs. These events are stored in the ueba_cloud_enriched_events index on Splunk Cloud Platform Services for 90 days. See How behavioral analytics service enriches events using identity resolution and assets and identities data.

You can search the ueba_cloud_enriched_events index from Splunk Mission Control using the enriched data in the raw events. For example, perform the following tasks to find an event that originally had the IP address 10.10.10.10 and was enriched to include the host name host1:

  1. Click Search in the Splunk Mission Control menu bar.
  2. In the search field, enter the search:

    | from ueba_cloud_enriched_events | where host="host1"

See Search in Splunk Mission Control in the Triage and Respond to Notables in Splunk Mission Control manual for more information about using search in Splunk Mission Control.

Last modified on 10 January, 2022
Integrate risk analysis between Splunk ES and behavioral analytics service   Search for detections from Splunk Mission Control

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters