Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Enable behavioral analytics service on Splunk Enterprise Security

This topic applies only to customers on the Splunk Cloud platform.

Enable behavioral analytics service on Splunk Enterprise Security to leverage threat detections so that you can monitor cyber threats and enhance your security operations. Enabling behavioral analytics service on Splunk Enterprise Security allows you to ingest raw data from various supported source types and provision tenants automatically. Additionally, you can also forward notables, risk events, assets, and identity data from Splunk Enterprise Security to the behavioral analytics service.

Prerequisites to enable behavioral analytics service

Following is a list of prerequisites to enable behavioral analytics service with Splunk Enterprise Security:

  • Splunk Cloud stack on 9.0.2209 or later in the US East (Virginia) region
  • Splunk Enterprise Security version 7.1 or later
  • You are a Splunk Enterprise Security customer from the US East (Virginia) AWS region
  • You are a non-FedRamp customer
  • Your data ingestion volume is less than 4 TB

The behavioral analytics service for Splunk Enterprise Security is not available to on-prem users.

Enable behavioral analytics service from Splunk Enterprise Security

Follow these steps to enable behavioral analytics service on Splunk Enterprise Security:

  1. Log in to the Splunk Enterprise Security app to display the option to enable the service.
  2. Select the checkbox to allow Splunk to enable token authentication, generate a token, and send data from Splunk Enterprise Security to behavioral analytics service.
    This is a screenshot for token authentication page to enable BA.

    You must select the checkbox and allow Splunk to enable token authentication to proceed with enabling the service. If you choose to disable token authentication later, the behavioral analytics service is not disabled, and you can continue to use the service.

  3. Click Enable to enable the service.
    Enabling the service might take 1-2 hours. The following notification is sent when the service is enabled. This is a screenshot of the notification when BA is enabled.

For more information on token authentication, see Enable or disable token authentication.

Alternatively, you can also enable the behavioral analytics service by following these steps:

  1. Navigate to Configure > General > General Settings.
  2. Scroll to the panel for Behavioral analytics service.
  3. Select the checkbox to allow Splunk to enable token authentication, generate a token, and send date from Splunk Enterprise Security to behavioral analytics service.

    You must select the checkbox and allow Splunk to enable token authentication to proceed with enabling the service. Enabling tokens allow users with sc_admin role to make API calls to the Administrator Configuration Service (ACS) and use behavioral analytics with Splunk Enterprise Security. If you choose to disable token authentication later, the behavioral analytics service is not disabled, and you can continue to use the service.

  4. Click Enable to enable the service.
    Enabling the service might take 1-2 hours. The following notification is sent when the service is enabled. Behavioral analytics service enabled successfully.

Contact *Splunk Support Portal or your account team if you want to disable the behavioral analytics service. If you see errors while enabling the behavioral analytics service, retry enabling the service again. If you see errors while enabling behavioral analytics detection, retry enabling the detections. Contact Splunk Support if the errors persist.

Enable or disable behavioral analytics detections in Splunk Enterprise Security

If you are an eligible user, you can view all behavioral analytics detections on the Content Management page in Splunk Enterprise Security. You can also enable or disable individual detections, if required. You also have the option to manage behavioral analytics detections by forwarding notables to a test index without impacting the risk environment. For more information on using test index for detections, see Manage Behavioral Analytics Service detections in Splunk Enterprise Security.

Follow these steps to enable or disable detections:

  1. Navigate to the Content Management page (Configure > Content > Content management) in Splunk Enterprise Security to view all content.
  2. Filter the security content by Type Detection.
  3. Select the detections that you want to enable or disable from the list on the Content Management page.
  4. Click Enable or Disable.

You can also select detections in bulk and enable or disable them.

Last modified on 15 July, 2024
Use behavioral analytics service with Splunk Enterprise Security 7.1.0 or higher   Overview of Incident Review in

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters