Skip to main content
Splunk® Enterprise Security

Detect Unknown Threats with Behavioral Analytics Service

Splunk® Enterprise Security
7.0.1
The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Search for enriched events from Splunk Mission Control

Behavioral analytics service enriches raw events with additional metadata using identity resolution and assets and identities data from Splunk Enterprise Security (ES), such as mapping IP addresses to host names, and human names with user IDs. These events are stored in the ueba_cloud_enriched_events index on Splunk Cloud Platform Services for 90 days. See How behavioral analytics service enriches events using identity resolution and assets and identities data.

You can search the ueba_cloud_enriched_events index from Splunk Mission Control using the enriched data in the raw events. For example, perform the following tasks to find an event that originally had the IP address 10.10.10.10 and was enriched to include the host name host1:

  1. Click Search in the Splunk Mission Control menu bar.
  2. In the search field, enter the search:

    | from ueba_cloud_enriched_events | where host="host1"

Last modified on 05 January, 2023
Integrate risk analysis between Splunk ES and behavioral analytics service   Search for detections from Splunk Mission Control

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters