Splunk Enterprise Security

Why are categories not merging within Identity Investigator?

stefan1988
Path Finder

Hello,

I'm having two identity lookups with two different categories. One lookup with the category 'gds_account' and the other lookup with the category 'ad_account'.

I would expect that the identity will receive category 'gds_account, ad_account', but I'm only seeing one category within the Identity Investigator, is that right?

Thanks and regards,
Stefan

0 Karma

ekost
Splunk Employee
Splunk Employee

Reviewing the documentation on Identity lookup fields, the category field accepts pipe-delimited entries. That does not imply that you can spread a collection of categories across multiple lookups, but rather that all category data must be populated in the identity lookup. The category field accepts pipe-delimited entries in the case that there are multiple categories for a given identity.

Notably, you can leverage a search-driven lookup to collect data and create a merged category list for inclusion into the identity lookup. It's also good practice to try building a search-driven lookup, as many processes in ES leverage them.

Note that the 'owner' field for the assets lookup is listed as a string, and not a delimited field. Therefore I would not expect to get more than one value.

If you're keen to see the values from another lookup associated with an event, give the field in that lookup a unique name and check that the field appears in the events when you drilldown. Example: category_gs, or category_ad. Always check that the lookup is working properly before beginning more complex operations.

0 Karma

stefan1988
Path Finder

The same applies for the owner field. If you have two lookups from two different data sources and both are giving an owner value It looks like ES is not presenting this multivalue in the asset/identity Investigator. Has anyone been able to solve this?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...