1:) 背景:
Splunk UBA 是一定要先导入HR 的数据的,先看一下原因:
Why Splunk UBA requires HR data - Splunk Documentation
Add human resources (HR) data, such as employee details and their account information, from Active Directory or other HR systems to Splunk UBA. HR data must be loaded before any other data is loaded into Splunk UBA.
Splunk UBA uses HR data to do the following with other data loaded into Splunk UBA:
Categorize accounts by type. Splunk UBA defines the normal, admin, service, and system account types by default. These account types are used by the various threat models