Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Identies question

Niro
Explorer
‎11-06-2023 09:33 PM

Hello,

I've set up an identity lookup using ldapsearch - it creates an identity of "username" that contains various details about the user, including the email address. It works well in identifying the user as `username` and `useremail@domain'.

However I'd like to also have it identify users based on `domain\username` and `username@domain' (which is actually different than `useremail` in our case) since a lot of our logs contain the user field in those formats. What's the best way to do that? 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-07-2023 12:32 AM

Hi

There is two options to get those into your lookup.

  1. Get those from you ldap query. This is obviously the best option as then those are absolutely correct. Unfortunately I haven't any suitable AD to look what fields those are and how you could get those. I'm quite trustful that those are there. Just ask from your AD admins and they probably help you.
  2. If you have standard how those are created based on other attributes then just regenerate those before you add entry to lookup.

r. Ismo

0 Karma
Reply

Niro
Explorer
‎11-07-2023 05:06 AM

Thanks for your reply!

I guess I should clarify my question though - I can figure out how to generate them, the question is where do I put them? Do I create additional fields in the lookup for the user and somehow splunk will use that field? Make the identify field a multivalue field?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-07-2023 12:49 PM

Probably the easiest way is just add a new fields into the end of your lookup file lines. That way it's easier to use those than use e.g. mvfields.

0 Karma
Reply

Niro
Explorer
‎11-07-2023 01:40 PM

Thanks!

I did that, but how do I make it use the new field as an identity? IE right now I have the "identity" field which is the samaccountname, and I also see it merged the email address into it when looking at the identity center. However if I add another field (ie domain_identity) it won't use it for identity lookups as far as I can tell. What I did for now (which might be completely the wrong way to do it) is create another identity lookup with the exact same query as the first one (which gets all fields from active directory) but for "identity" I'm adding `domain\username`. That seems to do the trick since it merges identities based on email address (which matches). 

 

I'm sure I'm missing something very basic here though.

Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-07-2023 01:59 PM

Have you try to use index_field_list on transforms.conf for CSV based lookup and/or accelerated_fields on collections.conf for kvstore based lookup?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...