Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Strategies for populating watchlist field in Assets and Identity Framework

damode
Motivator
‎01-04-2021 05:31 AM

Can anyone please share some best practise or your own preferred method for populating the watchlist field in the assets and identities lookup table in ES ?

We are currently using Sailpoint data to populate the identities lookup.

The only one reference i have got is someone using below logic by leveraging the ldapsearch command.

| eval watchlist=if((userAccountControl % 4)>=2,"true","")

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...