Splunk Enterprise Security

Does Splunk automatically tag identities with watchlist?

New Member

We recently had Splunk PS help set up ES in our environment, but all of the managed look-ups the PS person created no longer work due to their account being removed.

We currently have >4500 identities in the "Watchlisted Identities" dataset where watchlist=true. 

Our solution for fixing the orphaned look-ups is to re-create them, but before we do that we want to verify that the only way an identity in ES will have the Watchlist=true tag applied is through those managed lookups, not through an automated process.

If so, then we'll have the task of re-tagging all identities to "watchlist=false" before re-creating the look-ups.


0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.