Splunk Enterprise Security

Splunk Enterprise Security: Why is the alert "Activity from an expired identity" getting triggered when no identities have expired?

andresito123
Communicator

I have populated identities.csv on Splunk Enterprise Security and enabled the alert of "Activity from an expired identity". Although the identity is not expired, the alerts are being generated. Do you have any ideas on how to correct this issue?

My identities.csv looks like the following:

identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,work_city,work_country,work_lat,work_long
xxx,Mr.,,xxx,xxx,,xxx,,,xxx,,xxx,contractor,true,,01/31/17 23:59,xxx,xxx,,
xxx,Ms.,,xxx,xxx,,xxx,,,xxx,,xxx,contractor,true,,01/31/17 23:59,xxx,xxx,,
0 Karma

avisram_splunk
Splunk Employee
Splunk Employee

What version of Enterprise Security is this on? Your issue might be related to this:

https://answers.splunk.com/answers/442556/splunk-expired-account-activity.html

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...