Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. To resolve redirect errors, you must use the version selector on the ES documentation homepage to navigate between the versions.

This topic applies only to users of the User and Entity Behavior Analytics (UEBA) app. You can access behavior-based detections from the UEBA app on an on-premises deployment of Splunk Enterprise Security.

View behavior-based detections from UEBA in Splunk Enterprise Security

Follow these steps to view behavior-based detections from the User and Entity Behavior Analytics (UEBA) app in Splunk Enterprise Security:

  1. In Splunk Enterprise Security, select Security content and then select Content management to view the list of detections.
  2. To filter for behavior-based detections, change the Type filter to Behavior-based detection and change the App filter to User and Entity Behavioral Analytics Content.
  3. Select a detection to view the detection details.

    You can't edit or create behavior-based detections on the Content management page. These detections are view only in Splunk Enterprise Security.

  4. (Optional) In the Status column for the detection, use the drop-down menu to select On or Off. A detection that's turned off does not create any events in any index.
  5. (Optional) In the Actions column for the detection, select the more icon ( ), and then select Manage finding exclusion rules. With finding exclusion rules, you can exclude risk for a given detection based on specified criteria. You can create and manage finding exclusion rules in the UEBA app.

See also

For more information on behavior analytics in Splunk Enterprise Security, see the following product documentation:

Last modified on 04 June, 2025
Manage detections from the behavioral analytics service in Splunk Enterprise Security   Machine Learning Toolkit Overview in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters