Validate HR data configuration before adding other data sources
After adding the HR data, return to the HR data page to make sure that the account names and account types are populated and associated with the correct user.
- From Splunk UBA, select Manage > HR data.
- Review the HR Users and HR Accounts tables.
- If the configuration is inaccurate:
- Click Reset HR Data to remove the HR data.
- Update the HR data configuration. See Get HR data into Splunk UBA.
- Add the HR data again.
Repeat this process as needed until you verify that the HR data in Splunk UBA associates the account names and account types with the correct user.
You can also use the /opt/caspida/bin/irscan -H
command in the CLI to verify the HR account data for a specific user.
- Log in to the management node as the caspida user.
- Run the
/opt/caspida/bin/irscan -H
command. - When prompted, enter the user name you want to verify.
The following example output shows an HR account lookup for the user abogle:
caspida@uba001:~$ /opt/caspida/bin/irscan -H {} Loading HR data in memory. -------------- top output for this process: [ 1927] ------------------------------ top - 14:22:20 up 25 days, 12:11, 2 users, load average: 4.97, 3.95, 2.08 Tasks: 1 total, 0 running, 1 sleeping, 0 stopped, 0 zombie %Cpu(s): 6.5 us, 2.1 sy, 0.0 ni, 91.1 id, 0.1 wa, 0.0 hi, 0.2 si, 0.0 st KiB Mem : 65975524 total, 20264584 free, 12461616 used, 33249324 buff/cache KiB Swap: 4575228 total, 4078512 free, 496716 used. 51991108 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1927 caspida 20 0 17.917g 124804 33332 S 13.3 0.2 0:02.39 java ----------------------------------------------------------------------------------- Enter id/account to resolve >> abogle Lookup account: [abogle], resolution-status[Resolved] Matched: [abogle] User: id[ -746877122015991365], name[Aaron Bogle], type[Human], idType[IR] Account: id[-8738048929199146334], name[abogle], type[Normal], status:[null]
After you verify that your HR data is onboarded correctly, you are ready to add assets, identities, and threat intel to Splunk UBA. See Identify assets in your environment.
Add custom attributes to your HR data | Make changes to your HR data |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!