We have all of our Windows Events from our domain controllers going into UBA with a CIM Compliant Splunk Direct data source however it is saying we are missing AD data. What is the requirement for AD data in UBA? Do we a need a particular app feeding into it?
Does domain actually make a difference. the documentation is horrible, changes from 4.30 to 4.32 have not been updated in the documentation and in general just near useless, I am finding contact PS as the default answer.
Ok. I am on UBA 4.3.x . System -> Data availability (Data views) should list 'AD' under 'data available' and link it to your 'Data sources' , models and anomaly types. What do you see in Manage -> Data Sources? Are you seeing your AD data with appropriate 'Name' and status /format as processing ? UBA can read the windows event logs natively without splunk direct.