Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Adding a tag to leavers in identity

sysjohn
Engager
‎10-19-2021 05:58 AM

Hello All,

Wondering if anyone can help? I am currently looking at RBA and adding a multiplier to any users that are leaving. At first glance, I was wondering whether to look at risk_object_endDate=*, but am now wondering how the lookup for identity works and if I can be clever and add a category "leaver" to the user (or risk_object_identity_tag that index=risk will pick up). From some research I think the identity lookup is being ran by many searches but mainly from ldapsearch. Does this mean it is picking up categories from LDAP? Not sure how to check what the lookup is running to fill it's contents.  Any help/guidance would be great!

Thank you,

J.

Labels (2)
0 Karma
Reply

ro_mc
Path Finder
‎10-30-2021 04:25 AM

The good news is that you can definitely add your own fields. However, it may be best to make use of the existing fields as shown in the link below. I suggest this because ES has changed the fields for these lookups in the past, and changes to the default may complicate migrations or upgrades in the future.

https://docs.splunk.com/Documentation/ES/latest/Admin/Formatassetoridentitylist#Identity_lookup_head...

Fields that might meet your need include category, watchList & endDate (as you mentioned). You can then create your own identity list and optionally prioritise it to ensure that any risk ratings apply to the values you've entered rather than those obtained through other sources such as LDAP/AD.

If you're not worried about data migration, or if you're comfortable modifying a migration script to include your additional source field if necessary, you can follow the steps below to add or modify identity fields for the current version. Be aware that any existing lookups will need to have the additional field name and column added for existing entries to prevent errors from occurring when these lookups are queried.

https://docs.splunk.com/Documentation/ES/6.6.2/Admin/Identitysettings

Hope this helps.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...