Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Validate data availability

After data is loaded into Splunk UBA, use the Data Availability page to validate or troubleshoot your data ingestion and identify missing data sources that enable Splunk UBA use cases, such as an expected anomaly not being triggered. Data availability shows the relationships and mappings among the following areas in Splunk UBA:

  • Anomaly types
  • Anomaly categories
  • Threat types
  • Models
  • Data Views
  • Data Sources

To access the Data Availability page, select System > Data Availability in Splunk UBA.

Click on a content type in the Data Available section, which is at the top of the left column. In this example, the Unusual Machine Access anomaly is selected, and the page shows the data sources and threat model used to generate this anomaly. The box containing the anomaly name has a dark blue background indicating that all expected data sources are accounted for and the use case is operational.

This screen image shows the Data Availability page. On the left side, there is a column with the Unusual Machine Access anomaly highlighted. The main portion of the screen shows four data sources with dotted lines leading to a single model named Suspicious Device Access Model, which in turn has a dotted line leading to the Unusual Machine Access anomaly.

If Splunk UBA detects that not all data sources are available, the anomaly appears in the Partial Data Available section in the left column.

In this example, the Blacklisted Entity Model takes data to generate Blacklisted Domain anomalies. Two data sources are already providing HTTP data to the model. However, the model also expects a DNS data source which is not present. The light gray DNS in the Models box indicates that the data source is missing or incomplete, and the box containing the anomaly name is light blue instead of a darker shade of blue.

This screen image shows the Data Available page for an anomaly named Blacklisted Domain. The screen shows two data sources with dotted lines leading to a model, which leads to the anomaly. The data source DNS in the model is in light gray, indicating that it is missing.

If no data is available, the anomaly appears in the No Data Available section. The box containing the anomaly name has no color, indicating that none of the expected data sources are present.

Last modified on 17 October, 2019
PREVIOUS
Review and edit existing data sources in Splunk UBA
 

This documentation applies to the following versions of Splunk® User Behavior Analytics: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters