Splunk® Enterprise Security

Use Splunk Enterprise Security

Turn on behavioral analytics service on Splunk Enterprise Security

This topic applies only to customers on the Splunk Cloud platform.

Enable behavioral analytics service on Splunk Enterprise Security to leverage threat detections so that you can monitor cyber threats and enhance your security operations. Enabling behavioral analytics service on Splunk Enterprise Security allows you to ingest raw data from various supported source types and provision tenants automatically. Additionally, you can also forward notables, risk events, assets, and identity data from Splunk Enterprise Security to the behavioral analytics service.

Prerequisites to enable behavioral analytics service

Following is a list of prerequisites to enable behavioral analytics service with Splunk Enterprise Security:

  • Splunk Cloud stack on 9.0.2209 or later in the US East (Virginia) region
  • Splunk Enterprise Security version 7.2 or later
  • You are a Splunk Enterprise Security customer from the US East (Virginia) AWS region
  • You are a non-FedRamp customer
  • Your data ingestion volume is less than 4 TB

The behavioral analytics service for Splunk Enterprise Security is not available to on-prem users.

Turn on behavioral analytics service from Splunk Enterprise Security

Follow these steps to turn on behavioral analytics service on Splunk Enterprise Security:

  1. Log in to the Splunk Enterprise Security app to display the option to turn on the service.
  2. Select the checkbox to allow Splunk to turn on token authentication, generate a token, and send data from Splunk Enterprise Security to behavioral analytics service.
    This is a screenshot for token authentication page to turn on the behavioral analytical service.

    You must select the checkbox and allow Splunk to turn on token authentication to proceed with enabling the service. If you choose to disable token authentication later, the behavioral analytics service is not disabled, and you can continue to use the service.

  3. Select Enable to turn on the service.
    Enabling the service might take 1-2 hours. The following notification is sent when the service is turned on. This is a screenshot of the notification when BA is turned on.

For more information on token authentication, see Enable or disable token authentication.

Alternatively, you can also turn on the behavioral analytics service by following these steps:

  1. In Splunk Enterprise Security, go to Configure.
  2. Select General settings.
  3. Scroll to the panel for Behavioral analytics service.
  4. Select the checkbox to allow Splunk to turn on token authentication, generate a token, and send date from Splunk Enterprise Security to behavioral analytics service.

    You must select the checkbox and allow Splunk to turn on token authentication to proceed with enabling the service. Enabling tokens allow users with sc_admin role to make API calls to the Administrator Configuration Service (ACS) and use behavioral analytics with Splunk Enterprise Security. If you choose to disable token authentication later, the behavioral analytics service is not disabled, and you can continue to use the service.

  5. Select Enable to turn on the service.
    Enabling the service might take 1-2 hours. The following notification is sent when the service is turned on. Behavioral analytics service enabled successfully.

Contact *Splunk Support Portal or your account team if you want to disable the behavioral analytics service. If you see errors while enabling the behavioral analytics service, retry enabling the service again. If you see errors while enabling behavioral analytics detection, retry enabling the detections. Contact Splunk Support if the errors persist.

Turn on or turn off behavioral analytics detections in Splunk Enterprise Security

If you are an eligible user, you can view all behavioral analytics detections on the Content Management page in Splunk Enterprise Security. You can also turn on or turn off individual detections, if required. You also have the option to manage behavioral analytics detections by forwarding findings to a test index without impacting the risk environment. For more information on using test index for detections, see Manage Behavioral Analytics Service detections in Splunk Enterprise Security.

Follow these steps to turn on or turn off detections:

  1. In Splunk Enterprise Security, go to Security content and then select Content management to view all content.
  2. Filter the security content by type Detection.
  3. Turn on or turn off the detections by selecting On or Off from the Status column.
Last modified on 05 September, 2024
Use behavioral analytics service with Splunk Enterprise Security 7.1.0 or higher   Use federated searches in transparent mode with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters