Use behavioral analytics service with Splunk Enterprise Security 7.1.0 or higher
If you have enabled Splunk Enterprise Security version 7.1 or higher, you can also provision behavioral analytics service on a tenant in Splunk Cloud Solutions.
Behavioral analytics service is a cloud-native analytics solution that streams data from your platform to a shared service for processing and helps investigative analysts uncover hidden threats. This service uses a near real-time analytics engine that integrates with Splunk Enterprise Security's risk-based alerting framework (RBA) to improve insider threat detection without adding to alert fatigue in your security operations center (SOC). It brings streaming analytics capabilities to the Splunk Cloud Platform environment and provides security visibility to uncover hidden and unknown threats that cannot be easily detected through searches.
For more information on prerequisites to enable behavioral analytics service with Splunk Enterprise Security, see How do I get behavioral analytics service?
What do I need to run behavioral analytics service?
Verify that you have the following in order to run behavioral analytics service:
- Splunk Cloud stack on 9.0.2209 or later in the US East (Virginia) region
- Splunk Enterprise Security version 7.1 or later
- You are a Splunk Enterprise Security customer from the US East (Virginia) AWS region
- You are a non-FedRamp customer
- Your data ingestion volume is less than 4 TB
Behavioral analytics service is not available in the following compliant environments:
- FedRAMP Moderate
The behavioral analytics service for Splunk Enterprise Security is not available to on-prem users.
How do I get behavioral analytics service?
To get access to behavioral analytics service, you need Splunk Enterprise Security. Behavioral analytics service ingests asset and identity data from Splunk Enterprise Security in Splunk Cloud Platform for optimal identity resolution.
Licensing for Splunk Enterprise Security
Enable behavioral analytics service on Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.2.0