Splunk Enterprise Security

Which fields are used for the identity comparison in Splunk ES?

jacqu3sy
Path Finder

Hi,

Within Splunk Enterprise Security, when the urgency of a notable event is calculated, the priority of the identity is used alongside the Severity of the savedsearch. This I follow and understand.

However, which fields are used for the identity comparison? The identity lookup contains headers identity, nick, first, last, email among others.

Which of these fields is used to compare with the Splunk event? And then, which field pulled back via the savedsearch in Splunk is used for the comparison? user, account, login etc

Splunk docs do not appear to provide the answer via either;

https://docs.splunk.com/Documentation/ES/5.2.2/User/Howurgencyisassigned#Modify_the_urgency_lookup_d...

OR

https://docs.splunk.com/Documentation/ES/5.2.2/Admin/Addassetandidentitydata

Thanks.

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

While looking at SA-IdentityManagement add-on which ships with Enterprise Security, I can see that src_user and user fields from events are mapping with Identity Lookup automatically and it will provide fields like src_user_first, user_first etc.

EDIT: From identity_lookup_expanded Lookup definition, splunk is mapping key field from lookup with src_user and user fields from actual events

View solution in original post

0 Karma

lakshman239
SplunkTrust
SplunkTrust

The 2 key fields which help determine the severity/priority and correlate to events is the 'user_priority' and 'user_category'

You can run |makeresults | eval user="jacqu3sy" |get_identity4events(user) to link back to Identity data in your deployment and it will show all user_* fields.

squidbarn
Engager

Be sure to surround the macro in back-ticks: 

| makeresults | eval user="jacqu3sy" | `get_identity4events(user)`

0 Karma

jacqu3sy
Path Finder

That's a really useful query, many thanks.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

While looking at SA-IdentityManagement add-on which ships with Enterprise Security, I can see that src_user and user fields from events are mapping with Identity Lookup automatically and it will provide fields like src_user_first, user_first etc.

EDIT: From identity_lookup_expanded Lookup definition, splunk is mapping key field from lookup with src_user and user fields from actual events

0 Karma

jacqu3sy
Path Finder

Hi, thanks for that. But where are you seeing this and how can I view it?

And if src_user and user are the fields in question, which field in identity lookup are they mapping to; identitiy, nick, first, last etc?

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Go to Settings -> Lookups -> Automatic Lookups and Select apps as SA-IDentityManagement and you will able to see default : LOOKUP-zy-identity_lookup_expanded-src_user and default : LOOKUP-zy-identity_lookup_expanded-user automatic lookup which is mapping key field from identity_lookup_expanded lookup definition with src_user and user fields from actual events

0 Karma

jacqu3sy
Path Finder

Really helpful. Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...