I have populated identities.csv on Splunk Enterprise Security and enabled the alert of "Activity from an expired identity". Although the identity is not expired, the alerts are being generated. Do you have any ideas on how to correct this issue?
My identities.csv looks like the following:
identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,work_city,work_country,work_lat,work_long
xxx,Mr.,,xxx,xxx,,xxx,,,xxx,,xxx,contractor,true,,01/31/17 23:59,xxx,xxx,,
xxx,Ms.,,xxx,xxx,,xxx,,,xxx,,xxx,contractor,true,,01/31/17 23:59,xxx,xxx,,
What version of Enterprise Security is this on? Your issue might be related to this:
https://answers.splunk.com/answers/442556/splunk-expired-account-activity.html