Splunk® Enterprise Security

Detect Unknown Threats with Behavioral Analytics Service

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Create a notable to investigate in Splunk Mission Control

When viewing the details for any entity in behavioral analytics service, you can create a notable that you can view and investigate in Splunk Mission Control with the default label of UEBA Notable.

Perform the following tasks to create a notable in behavioral analytics service:

  1. Navigate to the entity details page for a specific entity. You can do this by clicking on the entity from the Entity page or the User & Entity Analytics dashboard.
  2. On the entity details page, click Create Notable.
  3. Enter a name in the Notable Name field.
  4. Select a label from the drop-down list in the Label field. By default, the UEBA Notable label is used for notables created in behavioral analytics service. You can triage this entity and its anomalies in behavioral analytics service and make a determination that the notable belongs in another category that you already have in Splunk Mission Control. In such cases, select the appropriate label from the drop-down list so that you don't need to find the notable later in Splunk Mission Control and change its label.
  5. Click the down arrow to expand the Advanced options. You can enter additional values for the notable such as status, owner, severity, and sensitivity.
  6. Click Submit to create the notable.

In Splunk Mission Control, click Investigations from the menu bar to view the list of notables, called the analyst queue. Type UEBA Notable in the search field to filter the notables so that only notables with the default UEBA Notable label are listed.

Last modified on 05 January, 2023
Drill down to view entity details in behavioral analytics service   Examine the riskiest entities and anomalies in the Entity Analytics Dashboard

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters