Splunk Enterprise Security
Highlighted

seckit_idm_windows_identities_nha lookup not populating the priority in Identities

Path Finder

We have the SecKit Windows Assets Add-on for Splunk Enterprise Security and the SecKit SA IDM Common install on our cloud instance with data populating in the seckitidmwindowsidentitieslookup but now I have filled the identity and nhapriority fields out in the seckitidmwindowsidentitiesnha lookup but I am not getting any changes reflecting in the seckitidmwindowsidentitieslookup.
My identity fields and nha
priority fields look something like:
*.test medium
*.tech medium
*.admin critical
What am I missing here? Does the lookups used with this add-on only work on the initial ingestion of new data or should it update any changes during its normal refresh period?
.

0 Karma
Highlighted

Re: seckit_idm_windows_identities_nha lookup not populating the priority in Identities

We've been working with SecKit for the last few weeks with our identities. There are a lot of moving parts but specifically for the identities portion, after you have populated your "seckitidmwindowsactivedirectorypersonslookup" there is a saved search that runs a macro every four hours to merge the various lookups: "`seckitidmwindowsad_identities`".

For each different lookup under "SecKitSAidmwindows" that macro will look across the "seckitidmwindowsactivedirectorypersonslookup" and match up the various fields (e.g. identity, account, memberOf, etc.).

For the "seckitidmwindowsidentitiesnha lookup" it is going to search across the identities to attempt a match. However we found that the lookup definition didn't include "WILDCARD(identity)" even though the documentation says it should be a wildcard search. The "seckitidmwindowsidentitiesaccountslookup" does (using the "account" field in the lookup and WILDCARD(account)) and seems to be a better fit when searching across multi-valued identities. Alternatively you could modify the definition of the nha lookup in transforms.conf to include the "matchtype= WILDCARD(identity)" as well.

[seckitidmwindowsidentitiesnhadefaultlookup]
filename = seckitidmwindowsidentitiesnhadefault.csv
fields
list = identity,nhacategory,nhawatchlist,nhapriority
case
sensitive_match = false

[seckitidmwindowsidentitiesaccountslookup]
filename = seckit
idmwindowsidentitiesaccounts.csv
fields
list = account,accountcategory,accountpriority,accountwatchlist
**match
type = WILDCARD(account)**
casesensitivematch = false

View solution in original post

0 Karma
Highlighted

Re: seckit_idm_windows_identities_nha lookup not populating the priority in Identities

Path Finder

Thanks Jeremy for your suggestion.
I switched over to seckitidmwindowsidentitiesaccounts and it worked with my *.ninja accounts.
I did find that adding would work in seckitidmwindowsidentitiesnha

0 Karma