Splunk Enterprise Security

seckit_idm_windows_identities_nha lookup not populating the priority in Identities

edhealea
Path Finder

We have the SecKit Windows Assets Add-on for Splunk Enterprise Security and the SecKit SA IDM Common install on our cloud instance with data populating in the seckit_idm_windows_identities_lookup but now I have filled the identity and nha_priority fields out in the seckit_idm_windows_identities_nha lookup but I am not getting any changes reflecting in the seckit_idm_windows_identities_lookup.
My identity fields and nha_priority fields look something like:
*.test medium
*.tech medium
*.admin critical
What am I missing here? Does the lookups used with this add-on only work on the initial ingestion of new data or should it update any changes during its normal refresh period?
.

0 Karma
1 Solution

jeremycarternfc
Engager

We've been working with SecKit for the last few weeks with our identities. There are a lot of moving parts but specifically for the identities portion, after you have populated your "seckit_idm_windows_activedirectory_persons_lookup" there is a saved search that runs a macro every four hours to merge the various lookups: "seckit_idm_windows_ad_identities".

For each different lookup under "SecKit_SA_idm_windows" that macro will look across the "seckit_idm_windows_activedirectory_persons_lookup" and match up the various fields (e.g. identity, account, memberOf, etc.).

For the "seckit_idm_windows_identities_nha lookup" it is going to search across the identities to attempt a match. However we found that the lookup definition didn't include "WILDCARD(identity)" even though the documentation says it should be a wildcard search. The "seckit_idm_windows_identities_accounts_lookup" does (using the "account" field in the lookup and WILDCARD(account)) and seems to be a better fit when searching across multi-valued identities. Alternatively you could modify the definition of the nha lookup in transforms.conf to include the "match_type= WILDCARD(identity)" as well.

[seckit_idm_windows_identities_nha_default_lookup]
filename = seckit_idm_windows_identities_nha_default.csv
fields_list = identity,nha_category,nha_watchlist,nha_priority
case_sensitive_match = false

[seckit_idm_windows_identities_accounts_lookup]
filename = seckit_idm_windows_identities_accounts.csv
fields_list = account,account_category,account_priority,account_watchlist
match_type = WILDCARD(account)
case_sensitive_match = false

View solution in original post

0 Karma

jeremycarternfc
Engager

We've been working with SecKit for the last few weeks with our identities. There are a lot of moving parts but specifically for the identities portion, after you have populated your "seckit_idm_windows_activedirectory_persons_lookup" there is a saved search that runs a macro every four hours to merge the various lookups: "seckit_idm_windows_ad_identities".

For each different lookup under "SecKit_SA_idm_windows" that macro will look across the "seckit_idm_windows_activedirectory_persons_lookup" and match up the various fields (e.g. identity, account, memberOf, etc.).

For the "seckit_idm_windows_identities_nha lookup" it is going to search across the identities to attempt a match. However we found that the lookup definition didn't include "WILDCARD(identity)" even though the documentation says it should be a wildcard search. The "seckit_idm_windows_identities_accounts_lookup" does (using the "account" field in the lookup and WILDCARD(account)) and seems to be a better fit when searching across multi-valued identities. Alternatively you could modify the definition of the nha lookup in transforms.conf to include the "match_type= WILDCARD(identity)" as well.

[seckit_idm_windows_identities_nha_default_lookup]
filename = seckit_idm_windows_identities_nha_default.csv
fields_list = identity,nha_category,nha_watchlist,nha_priority
case_sensitive_match = false

[seckit_idm_windows_identities_accounts_lookup]
filename = seckit_idm_windows_identities_accounts.csv
fields_list = account,account_category,account_priority,account_watchlist
match_type = WILDCARD(account)
case_sensitive_match = false

0 Karma

edhealea
Path Finder

Thanks Jeremy for your suggestion.
I switched over to seckit_idm_windows_identities_accounts and it worked with my *.ninja accounts.
I did find that adding would work in seckit_idm_windows_identities_nha

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...