Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does Splunk automatically tag identities with watchlist?

cmcneilw
New Member
‎06-09-2021 02:22 PM

We recently had Splunk PS help set up ES in our environment, but all of the managed look-ups the PS person created no longer work due to their account being removed.

We currently have >4500 identities in the "Watchlisted Identities" dataset where watchlist=true. 

Our solution for fixing the orphaned look-ups is to re-create them, but before we do that we want to verify that the only way an identity in ES will have the Watchlist=true tag applied is through those managed lookups, not through an automated process.

If so, then we'll have the task of re-tagging all identities to "watchlist=false" before re-creating the look-ups.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...