Define identity formats in Splunk Enterprise Security

Define the identity formats that identify users in your environment on the Identity Lookup Configuration page. Changes made on the Identity Lookup Configuration page modify the identityLookup.conf file.

Prerequisite

Collect and extract asset and identity data in Splunk Enterprise Security

Steps

1. From the Splunk ES menu bar, select Configure > Data Enrichment > Identity Lookup Configuration.
2. (Optional) Deselect the check box for Email if email addresses do not identify users in your environment.
3. (Optional) Deselect the check box for Email short if the username of an email address does not identify users in your environment.
4. (Optional) Select the check box for Convention if you want to define custom conventions to use to identify users.
   1. Click Add a new convention to add a custom convention.
   2. You can identify users by the first few letters of their first name and the first few letters of their last name, based on the columns in the Identities Table. Use the convention of identity_first(n)middle(n)last(n) where identity, first, and last are any columns from the Identities Table, and where n is a number starting with 0. For example:
      • "Jane Marie Johnson" using the convention first(3)last(3) is janjoh
      • "John Michael Smith" using the convention first(1)middle(1).last() is jm.smith
      • "John Doe" using the convention ADMIN_first(1)last() is ADMIN_jdoe
      • Multiple matches are resolved automatically by taking the first match in the table or manually by specifying identity values.
        
5. (Optional) Select the check box for Case Sensitive to require case sensitive identity matching. Case sensitive identity matching produces fewer matches.
6. Click Save.

Next step

Format the asset or identity list as a lookup in Splunk Enterprise Security