Splunk UBA Monitoring App requirements

The Splunk UBA Monitoring App requires the following combination of Splunk UBA with Splunk Enterprise or Splunk Cloud Platform:

Splunk UBA Monitoring App version	Splunk UBA version	Splunk Enterprise version
Splunk UBA Monitoring App 1.1.1	Splunk UBA 5.0.3 or higher	Splunk Enterprise versions 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.2.0 Splunk Cloud Platform
Splunk UBA Monitoring App 1.1	Splunk UBA 5.0.3	Splunk Enterprise versions 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.2.0
Splunk UBA Monitoring App 1.0.0	Splunk UBA 5.0.0	Splunk Enterprise versions 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.2.0

Additional requirements for the Splunk UBA Monitoring App

The Splunk UBA Monitoring App forwards data to the _internal index on the Splunk platform. Users of the Splunk UBA Monitoring App must have read access to the _internal index in order to see any data when using the app. Users with the admin role in Splunk Enterprise or sc_admin role in Splunk Cloud Platform have this permission by default. Non-admin users can be granted this access by qualified admin or sc_admin users.
- For Splunk Enterprise users, see About users and roles in the Splunk Enterprise Admin Manual.
- For Splunk Cloud Platform users, see Manage Splunk Cloud users and roles in the Splunk Cloud Admin Manual.
The forwarder on Splunk UBA connects to the Splunk platform receiver on port 9997 by default. The receiver on Splunk Enterprise must be enabled to receive data from the forwarder on Splunk UBA. See Enable a receiver in the Splunk Enterprise Forwarding Data manual.