Splunk Enterprise Security

Does Splunk automatically tag identities with watchlist?

cmcneilw
New Member

We recently had Splunk PS help set up ES in our environment, but all of the managed look-ups the PS person created no longer work due to their account being removed.

We currently have >4500 identities in the "Watchlisted Identities" dataset where watchlist=true. 

Our solution for fixing the orphaned look-ups is to re-create them, but before we do that we want to verify that the only way an identity in ES will have the Watchlist=true tag applied is through those managed lookups, not through an automated process.

If so, then we'll have the task of re-tagging all identities to "watchlist=false" before re-creating the look-ups.

 

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.