Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

seckit_idm_windows_identities_nha lookup not populating the priority in Identities

edhealea
Path Finder
‎12-27-2019 09:05 AM

We have the SecKit Windows Assets Add-on for Splunk Enterprise Security and the SecKit SA IDM Common install on our cloud instance with data populating in the seckit_idm_windows_identities_lookup but now I have filled the identity and nha_priority fields out in the seckit_idm_windows_identities_nha lookup but I am not getting any changes reflecting in the seckit_idm_windows_identities_lookup.
My identity fields and nha_priority fields look something like:
*.test medium
*.tech medium
*.admin critical
What am I missing here? Does the lookups used with this add-on only work on the initial ingestion of new data or should it update any changes during its normal refresh period?
.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jeremycarternfc
Engager
‎01-02-2020 07:02 AM

We've been working with SecKit for the last few weeks with our identities. There are a lot of moving parts but specifically for the identities portion, after you have populated your "seckit_idm_windows_activedirectory_persons_lookup" there is a saved search that runs a macro every four hours to merge the various lookups: "seckit_idm_windows_ad_identities".

For each different lookup under "SecKit_SA_idm_windows" that macro will look across the "seckit_idm_windows_activedirectory_persons_lookup" and match up the various fields (e.g. identity, account, memberOf, etc.).

For the "seckit_idm_windows_identities_nha lookup" it is going to search across the identities to attempt a match. However we found that the lookup definition didn't include "WILDCARD(identity)" even though the documentation says it should be a wildcard search. The "seckit_idm_windows_identities_accounts_lookup" does (using the "account" field in the lookup and WILDCARD(account)) and seems to be a better fit when searching across multi-valued identities. Alternatively you could modify the definition of the nha lookup in transforms.conf to include the "match_type= WILDCARD(identity)" as well.

[seckit_idm_windows_identities_nha_default_lookup]
filename = seckit_idm_windows_identities_nha_default.csv
fields_list = identity,nha_category,nha_watchlist,nha_priority
case_sensitive_match = false

[seckit_idm_windows_identities_accounts_lookup]
filename = seckit_idm_windows_identities_accounts.csv
fields_list = account,account_category,account_priority,account_watchlist
match_type = WILDCARD(account)
case_sensitive_match = false

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jeremycarternfc
Engager
‎01-02-2020 07:02 AM

We've been working with SecKit for the last few weeks with our identities. There are a lot of moving parts but specifically for the identities portion, after you have populated your "seckit_idm_windows_activedirectory_persons_lookup" there is a saved search that runs a macro every four hours to merge the various lookups: "seckit_idm_windows_ad_identities".

For each different lookup under "SecKit_SA_idm_windows" that macro will look across the "seckit_idm_windows_activedirectory_persons_lookup" and match up the various fields (e.g. identity, account, memberOf, etc.).

For the "seckit_idm_windows_identities_nha lookup" it is going to search across the identities to attempt a match. However we found that the lookup definition didn't include "WILDCARD(identity)" even though the documentation says it should be a wildcard search. The "seckit_idm_windows_identities_accounts_lookup" does (using the "account" field in the lookup and WILDCARD(account)) and seems to be a better fit when searching across multi-valued identities. Alternatively you could modify the definition of the nha lookup in transforms.conf to include the "match_type= WILDCARD(identity)" as well.

[seckit_idm_windows_identities_nha_default_lookup]
filename = seckit_idm_windows_identities_nha_default.csv
fields_list = identity,nha_category,nha_watchlist,nha_priority
case_sensitive_match = false

[seckit_idm_windows_identities_accounts_lookup]
filename = seckit_idm_windows_identities_accounts.csv
fields_list = account,account_category,account_priority,account_watchlist
match_type = WILDCARD(account)
case_sensitive_match = false

0 Karma
Reply
Solved! Jump to solution

edhealea
Path Finder
‎01-02-2020 12:43 PM

Thanks Jeremy for your suggestion.
I switched over to seckit_idm_windows_identities_accounts and it worked with my *.ninja accounts.
I did find that adding would work in seckit_idm_windows_identities_nha

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...