Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

seckit_idm_windows_identities_nha lookup not populating the priority in Identities

edhealea
Path Finder
‎12-27-2019 09:05 AM

We have the SecKit Windows Assets Add-on for Splunk Enterprise Security and the SecKit SA IDM Common install on our cloud instance with data populating in the seckit_idm_windows_identities_lookup but now I have filled the identity and nha_priority fields out in the seckit_idm_windows_identities_nha lookup but I am not getting any changes reflecting in the seckit_idm_windows_identities_lookup.
My identity fields and nha_priority fields look something like:
*.test medium
*.tech medium
*.admin critical
What am I missing here? Does the lookups used with this add-on only work on the initial ingestion of new data or should it update any changes during its normal refresh period?
.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jeremycarternfc
Engager
‎01-02-2020 07:02 AM

We've been working with SecKit for the last few weeks with our identities. There are a lot of moving parts but specifically for the identities portion, after you have populated your "seckit_idm_windows_activedirectory_persons_lookup" there is a saved search that runs a macro every four hours to merge the various lookups: "seckit_idm_windows_ad_identities".

For each different lookup under "SecKit_SA_idm_windows" that macro will look across the "seckit_idm_windows_activedirectory_persons_lookup" and match up the various fields (e.g. identity, account, memberOf, etc.).

For the "seckit_idm_windows_identities_nha lookup" it is going to search across the identities to attempt a match. However we found that the lookup definition didn't include "WILDCARD(identity)" even though the documentation says it should be a wildcard search. The "seckit_idm_windows_identities_accounts_lookup" does (using the "account" field in the lookup and WILDCARD(account)) and seems to be a better fit when searching across multi-valued identities. Alternatively you could modify the definition of the nha lookup in transforms.conf to include the "match_type= WILDCARD(identity)" as well.

[seckit_idm_windows_identities_nha_default_lookup]
filename = seckit_idm_windows_identities_nha_default.csv
fields_list = identity,nha_category,nha_watchlist,nha_priority
case_sensitive_match = false

[seckit_idm_windows_identities_accounts_lookup]
filename = seckit_idm_windows_identities_accounts.csv
fields_list = account,account_category,account_priority,account_watchlist
match_type = WILDCARD(account)
case_sensitive_match = false

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jeremycarternfc
Engager
‎01-02-2020 07:02 AM

We've been working with SecKit for the last few weeks with our identities. There are a lot of moving parts but specifically for the identities portion, after you have populated your "seckit_idm_windows_activedirectory_persons_lookup" there is a saved search that runs a macro every four hours to merge the various lookups: "seckit_idm_windows_ad_identities".

For each different lookup under "SecKit_SA_idm_windows" that macro will look across the "seckit_idm_windows_activedirectory_persons_lookup" and match up the various fields (e.g. identity, account, memberOf, etc.).

For the "seckit_idm_windows_identities_nha lookup" it is going to search across the identities to attempt a match. However we found that the lookup definition didn't include "WILDCARD(identity)" even though the documentation says it should be a wildcard search. The "seckit_idm_windows_identities_accounts_lookup" does (using the "account" field in the lookup and WILDCARD(account)) and seems to be a better fit when searching across multi-valued identities. Alternatively you could modify the definition of the nha lookup in transforms.conf to include the "match_type= WILDCARD(identity)" as well.

[seckit_idm_windows_identities_nha_default_lookup]
filename = seckit_idm_windows_identities_nha_default.csv
fields_list = identity,nha_category,nha_watchlist,nha_priority
case_sensitive_match = false

[seckit_idm_windows_identities_accounts_lookup]
filename = seckit_idm_windows_identities_accounts.csv
fields_list = account,account_category,account_priority,account_watchlist
match_type = WILDCARD(account)
case_sensitive_match = false

0 Karma
Reply
Solved! Jump to solution

edhealea
Path Finder
‎01-02-2020 12:43 PM

Thanks Jeremy for your suggestion.
I switched over to seckit_idm_windows_identities_accounts and it worked with my *.ninja accounts.
I did find that adding would work in seckit_idm_windows_identities_nha

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...