Splunk Enterprise Security
Highlighted

Splunk 'Enterprise Security Suite' - Identity Management's Priority calculation

Motivator

Configuration:
We have configured a lookup table under 'ESS Identity management' to maintain the list of users. The user list is updated daily using a scheduled search. And the 'priority' of the user is calculated either as 'high' or 'medium' based on certain factors.

Problem:
But, the priority of a few users is modified as 'critical'. I am trying to understand feature/search which modifies the priority value.

Any help is a welcome one. Thanks.

0 Karma
Highlighted

Re: Splunk 'Enterprise Security Suite' - Identity Management's Priority calculation

SplunkTrust
SplunkTrust

I don't think the users priority in the identity tables gets changed by any other process. Can you pls double check if your scheduled search is updating it? (perhaps)
I assume you are not talking about -https://docs.splunk.com/Documentation/ES/5.2.2/User/Howurgencyisassigned

View solution in original post

0 Karma
Highlighted

Re: Splunk 'Enterprise Security Suite' - Identity Management's Priority calculation

Motivator

You are right. I have overlooked the scheduled search that updates the identity lookup table. My bad.

The priority indeed calculated and updated by the scheduled search. Thanks.

0 Karma
Highlighted

Re: Splunk 'Enterprise Security Suite' - Identity Management's Priority calculation

SplunkTrust
SplunkTrust

If you are happy with the answer, pls accept the same to close the thread.

0 Karma