Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Define identity formats in Splunk Enterprise Security

Define the identity formats that identify users in your environment on the Identity Lookup Configuration page. Changes made on the Identity Lookup Configuration page modify the identityLookup.conf file.

Prerequisite

Collect and extract asset and identity data in Splunk Enterprise Security

Steps

  1. From the Splunk ES menu bar, select Configure > Data Enrichment > Identity Lookup Configuration.
  2. (Optional) Deselect the check box for Email if email addresses do not identify users in your environment.
  3. (Optional) Deselect the check box for Email short if the username of an email address does not identify users in your environment.
  4. (Optional) Select the check box for Convention if you want to define custom conventions to use to identify users.
    1. Click Add a new convention to add a custom convention.
    2. You can identify users by the first few letters of their first name and the first few letters of their last name, based on the columns in the Identities Table. Use the convention of identity_first(n)middle(n)last(n) where identity, first, and last are any columns from the Identities Table, and where n is a number starting with 0. For example:
      • "Jane Marie Johnson" using the convention first(3)last(3) is janjoh
      • "John Michael Smith" using the convention first(1)middle(1).last() is jm.smith
      • "John Doe" using the convention ADMIN_first(1)last() is ADMIN_jdoe
      • Multiple matches are resolved automatically by taking the first match in the table or manually by specifying identity values.
  5. (Optional) Select the check box for Case Sensitive to require case sensitive identity matching. Case sensitive identity matching produces fewer matches.
  6. Click Save.

Next step

Format the asset or identity list as a lookup in Splunk Enterprise Security

Last modified on 06 September, 2019
Collect and extract asset and identity data in Splunk Enterprise Security   Format an asset or identity list as a lookup in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters