Solved: Splunk 'Enterprise Security Suite' - Identity Mana...

jawaharas · ‎04-02-2019

Configuration:
We have configured a lookup table under 'ESS Identity management' to maintain the list of users. The user list is updated daily using a scheduled search. And the 'priority' of the user is calculated either as 'high' or 'medium' based on certain factors.

Problem:
But, the priority of a few users is modified as 'critical'. I am trying to understand feature/search which modifies the priority value.

Any help is a welcome one. Thanks.

lakshman239 · ‎04-04-2019

I don't think the users priority in the identity tables gets changed by any other process. Can you pls double check if your scheduled search is updating it? (perhaps)
I assume you are not talking about -https://docs.splunk.com/Documentation/ES/5.2.2/User/Howurgencyisassigned

View solution in original post

lakshman239 · ‎04-04-2019

I don't think the users priority in the identity tables gets changed by any other process. Can you pls double check if your scheduled search is updating it? (perhaps)
I assume you are not talking about -https://docs.splunk.com/Documentation/ES/5.2.2/User/Howurgencyisassigned

jawaharas · ‎04-06-2019

You are right. I have overlooked the scheduled search that updates the identity lookup table. My bad.

The priority indeed calculated and updated by the scheduled search. Thanks.

lakshman239 · ‎04-07-2019

If you are happy with the answer, pls accept the same to close the thread.

Splunk 'Enterprise Security Suite' - Identity Management's Priority calculation

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases