Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Validate HR data configuration before adding other data sources

After adding the HR data, return to the HR data page to make sure that the account names and account types are populated and associated with the correct user.

  1. From Splunk UBA, select Manage > HR data.
  2. Review the HR Users and HR Accounts tables.
  3. If the configuration is inaccurate:
    1. Click Reset HR Data to remove the HR data.
    2. Update the HR data configuration. See Get HR data into Splunk UBA.
    3. Add the HR data again.

Repeat this process as needed until you verify that the HR data in Splunk UBA associates the account names and account types with the correct user.

You can also use the /opt/caspida/bin/irscan -H command in the CLI to verify the HR account data for a specific user.

  1. Log in to the management node as the caspida user.
  2. Run the /opt/caspida/bin/irscan -H command.
  3. When prompted, enter the user name you want to verify.

The following example output shows an HR account lookup for the user abogle:

caspida@uba001:~$ /opt/caspida/bin/irscan -H
{}
Loading HR data in memory.
-------------- top output for this process: [  1927] ------------------------------
top - 14:22:20 up 25 days, 12:11,  2 users,  load average: 4.97, 3.95, 2.08
Tasks:   1 total,   0 running,   1 sleeping,   0 stopped,   0 zombie
%Cpu(s):  6.5 us,  2.1 sy,  0.0 ni, 91.1 id,  0.1 wa,  0.0 hi,  0.2 si,  0.0 st
KiB Mem : 65975524 total, 20264584 free, 12461616 used, 33249324 buff/cache
KiB Swap:  4575228 total,  4078512 free,   496716 used. 51991108 avail Mem 


  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
 1927 caspida   20   0 17.917g 124804  33332 S  13.3  0.2   0:02.39 java
-----------------------------------------------------------------------------------


Enter id/account to resolve >> 
abogle
Lookup account: [abogle], resolution-status[Resolved]
       Matched: [abogle]
          User: id[ -746877122015991365], name[Aaron Bogle], type[Human], idType[IR]
       Account: id[-8738048929199146334], name[abogle], type[Normal], status:[null]

After you verify that your HR data is onboarded correctly, you are ready to add assets, identities, and threat intel to Splunk UBA. See Identify assets in your environment.

Last modified on 04 March, 2021
Add custom attributes to your HR data   Make changes to your HR data

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters