Roles and knowledge objects in UEBA for Splunk Enterprise Security

User and entity behavior analytics (UEBA) uses the existing users and roles in Splunk Enterprise Security to provide role-based permissions for UEBA knowledge objects. The following roles are available in the Splunk platform or Splunk Enterprise Security by default:

admin
sc_admin
ess_admin
ess_analyst
ess_user

You can assign users in your organization these roles based on the UEBA access they provide.

Knowledge objects for UEBA

UEBA defines specific permissions for knowledge objects that power behavioral analytics in your environment. These permissions ensure that appropriate users can access, configure, and manage UEBA functionality based on their roles.

The following table explains how knowledge objects are used in UEBA:


Knowledge object	Description for UEBA	Read and write access for roles
Saved searches	Includes behavior-based detection rules and their corresponding summarization, consolidation, feature, and scoring searches	read: all write: admin, sc_admin, ess_admin
KV Store collections	Tracks feature values, related identities and related assets.	read: admin, sc_admin, ess_admin write: admin, sc_admin, ess_admin
Search macros	Helps encapsulate data mapping functions, transform field values, calculate features, and score events	read: admin, sc_admin, ess_admin, ess_analyst, ess_user write: admin, sc_admin, ess_admin
Transforms	Allows the collections to be used by SPL	read: all write: admin, sc_admin
Views	Allows access to UEBA dashboards	read: admin, sc_admin, ess_admin, ess_analyst, ess_user write: admin, sc_admin, ess_admin

Roles to assign for UEBA

The following table explains the UEBA capabilities available for each Splunk Enterprise Security role:


Role	Capabilities for UEBA
ess_admin	Configure, modify, and manage all UEBA content; edit searches; edit collections; edit macros; edit dashboard; can view lookups that track users, devices, and feature values
ess_analyst	View and use UEBA dashboards; execute macros in searches; view saved searches Cannot modify configurations; cannot view lookups that track users, devices, and feature values
ess_user	View and use UEBA dashboards; execute macros in searches; view saved searches Cannot modify configurations; cannot view lookups which track users, devices, and feature values

Troubleshooting access permissions

The following table explains how to resolve access permission issues you might find:


Issue	Solution
Cannot view UEBA System dashboards	Inherit one of the following roles: `ess_admin, ess_analyst, ess_user`
Macros not available in searches	Inherit one of the following roles: `ess_admin, ess_analyst, ess_user`
Cannot modify UEBA detections	Inherit one of the following roles: `admin, sc_admin, ess_admin`
Collections not accessible	Inherit one of the following roles: `admin, sc_admin, ess_admin`

Splunk Enterprise Security 8

Roles and knowledge objects in UEBA for Splunk Enterprise Security

Knowledge objects for UEBA

Roles to assign for UEBA

Troubleshooting access permissions

ON THIS PAGE

Splunk Enterprise

Splunk Cloud Platform

Splunkbase

Enterprise Security

SOAR

IT Service Intelligence

Content Packs

Splunk Observability Cloud

AppDynamics SaaS

AppDynamics On-Premises

SAP Agent

Developer Documentation

Splunkbase

Splunk Enterprise

Splunk Cloud Platform

Splunkbase

DATA MANAGEMENT

SEARCH AND ANALYTICS

ADMINISTRATION

Enterprise Security

SOAR

ENTERPRISE SECURITY

SOAR

RELATED APPS

IT Service Intelligence

Content Packs

ITSI

IT Ops

ADMINISTRATION

EXTENSIONS

Splunk Observability Cloud

MONITORING

DATA MANAGEMENT

ADMINISTRATION

AppDynamics SaaS

AppDynamics On-Premises

SAP Agent

ESSENTIALS

MONITORING

ADMINISTRATION

Developer Documentation

Splunkbase

PLATFORM

OBSERVABILITY

REFERENCE

Resources

REFERENCE

Learn More

Support

Roles and knowledge objects in UEBA for Splunk Enterprise Security

Knowledge objects for UEBA

Roles to assign for UEBA

Troubleshooting access permissions