Clarification on UBA Capability in Splunk Enterpri...

tuongpx · ‎10-21-2025

Hello Splunk Community,

I would like to request clarification regarding Splunk Enterprise Security (ES) capabilities in relation to User Behavior Analytics (UBA).
In a current SIEM/SOC solution evaluation, one of the key requirements specifies that:
“The system must have the capability of User Behavior Analytics (UBA) to monitor and detect internal risks.”
A vendor has proposed using Splunk Enterprise Security (ES) with Machine Learning Toolkit (MLTK) and Risk-Based Alerting (RBA), stating that these features are equivalent to and can replace User Behavior Analytics (UBA) for managing user behavior and detecting insider threats.
I would appreciate clarification on the following points:
Does Splunk Enterprise Security (ES) natively include User Behavior Analytics (UBA) capabilities?
Can MLTK and RBA in Splunk ES be considered equivalent to, or a replacement for, Splunk UBA in terms of user behavior analysis and insider risk detection?
If not, is Splunk UBA a separate module required to provide these capabilities?
This clarification will help ensure a correct understanding of Splunk’s technical capabilities and licensing structure.
Thank you in advance for your insights and confirmation.

Clarification on UBA Capability in Splunk Enterprise Security vs MLTK and RBA

risk analysis

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?