Troubleshooting
Problem
A known issue is confirmed in User Behavior Analytics (UBA) version 4.1.0, where the User Import feature can duplicate users after an automatic poll. The issue can occur when an LDAP, Active Directory, or reference table import configuration is set up with automatic polling. If a user is duplicated during an automatic poll, the User Details screen might not show any user details or might display errors for user IDs that are duplicates.
Symptom
If a user is duplicated, the User Details screen can display errors. For example,
- The user is imported, but the User Details displays: "No additional data is available" even though LDAP or reference data import fields are configured.
- The Timeline view in the user interface does not load and displays the error: User ID "integer" not found in application database for query".
Cause
These users are due to a defect with the coalescing function in UBA v4.1.0, where the user information gets duplicated to a new user ID in the application. The duplicate user issue affects automatic polling where UBA detects the contents changed since the last poll. When UBA 4.1.0 imports detects and imports users automatically, the application can incorrectly create new users with invalid IDs.
Resolving The Problem
Before you begin
The User Behavior Analytics (UBA) version 4.1.1 or later resolves the duplicate user issue. Administrators who experience the symptoms described in this technical note must upgrade, then remove duplicate users to fully resolve this issue. For QRadar 7.3.3 Fix Pack 6 or 7.4.1 Fix Pack 2 or later, click here to download UBA. For more information, see Upgrading the User Behavior Analytics app.
Procedure
After upgrading to UBA 4.1.1 or later, administrators can remove the users in the import configuration causing the duplicates. Deleting the last import removes the last polled import and preserves users discovered from event data.
To delete a user import:
The User Behavior Analytics (UBA) version 4.1.1 or later resolves the duplicate user issue. Administrators who experience the symptoms described in this technical note must upgrade, then remove duplicate users to fully resolve this issue. For QRadar 7.3.3 Fix Pack 6 or 7.4.1 Fix Pack 2 or later, click here to download UBA. For more information, see Upgrading the User Behavior Analytics app.
Procedure
After upgrading to UBA 4.1.1 or later, administrators can remove the users in the import configuration causing the duplicates. Deleting the last import removes the last polled import and preserves users discovered from event data.
To delete a user import:
- Click the User Import icon in the top menu bar on the UBA dashboard.
- Click the Delete icon on the problematic import.
- If you have UBA 4.1.0 installed, a pop-up menu requests the administrator to confirm the delete action.
- Select the Delete the configuration and users option and click Confirm.
Results
The duplicate users from the last import are removed. If you did not upgrade to UBA 4.1.1 or later, duplicate user imports can occur again. If you continue to experience issues with duplicate users, you can use the Help & Support Page to clear the UBA and Machine Learning data.
Important: Administrators who have large numbers of duplicate users can opt to clear the UBA data. Clearing UBA data allows the application to be reset as if you just installed the application and completed the base configuration without any user data. If the Machine Learning app is installed, the Clear UBA Data button also resets the machine learning application data. If you are unsure how to proceed, contact QRadar Support for assistance.
Document Location
Worldwide
[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
02 June 2021
UID
ibm16452539