Can anyone please share some best practise or your own preferred method for populating the watchlist field in the assets and identities lookup table in ES ?
We are currently using Sailpoint data to populate the identities lookup.
The only one reference i have got is someone using below logic by leveraging the ldapsearch command.
| eval watchlist=if((userAccountControl % 4)>=2,"true","")