We have the SecKit Windows Assets Add-on for Splunk Enterprise Security and the SecKit SA IDM Common install on our cloud instance with data populating in the seckitidmwindowsidentitieslookup but now I have filled the identity and nhapriority fields out in the seckitidmwindowsidentitiesnha lookup but I am not getting any changes reflecting in the seckitidmwindowsidentitieslookup.
My identity fields and nhapriority fields look something like:
What am I missing here? Does the lookups used with this add-on only work on the initial ingestion of new data or should it update any changes during its normal refresh period?
We've been working with SecKit for the last few weeks with our identities. There are a lot of moving parts but specifically for the identities portion, after you have populated your "seckitidmwindowsactivedirectorypersonslookup" there is a saved search that runs a macro every four hours to merge the various lookups: "`seckitidmwindowsad_identities`".
For each different lookup under "SecKitSAidmwindows" that macro will look across the "seckitidmwindowsactivedirectorypersonslookup" and match up the various fields (e.g. identity, account, memberOf, etc.).
For the "seckitidmwindowsidentitiesnha lookup" it is going to search across the identities to attempt a match. However we found that the lookup definition didn't include "WILDCARD(identity)" even though the documentation says it should be a wildcard search. The "seckitidmwindowsidentitiesaccountslookup" does (using the "account" field in the lookup and WILDCARD(account)) and seems to be a better fit when searching across multi-valued identities. Alternatively you could modify the definition of the nha lookup in transforms.conf to include the "matchtype= WILDCARD(identity)" as well.
filename = seckitidmwindowsidentitiesnhadefault.csv
fieldslist = identity,nhacategory,nhawatchlist,nhapriority
casesensitive_match = false
filename = seckitidmwindowsidentitiesaccounts.csv
fieldslist = account,accountcategory,accountpriority,accountwatchlist
**matchtype = WILDCARD(account)**
casesensitivematch = false
Thanks Jeremy for your suggestion.
I switched over to seckitidmwindowsidentitiesaccounts and it worked with my *.ninja accounts.
I did find that adding would work in seckitidmwindowsidentitiesnha