topic Re: non-compliant naming convention for workstations in Splunk Search

non-compliant naming convention for workstations

karimoss — Mon, 16 Oct 2023 09:56:32 GMT

Hello,

I want to detect workstations authenticated to the active directory that are not compliant with our naming conventions.( hostname should start with the country code followed by 6 numbers. Exemple for a host from italy :IT000121).

I have already a lookup file (| inputlookup code_countries.csv | table alpha-2), but I don't know how to compare it with the 'Workstation' field in my active index to make it match the naming convention I described above.

Regards,

Re: non-compliant naming convention for workstations

gcusello — Mon, 16 Oct 2023 10:36:38 GMT

Hi @karimossl,

let me understand: do you want to find all the Computernames from Active Directory logs that aren't in the lookup or what else?

if this is your requirement, you could run:

Ciao.

Giuseppe

Re: non-compliant naming convention for workstations

karimoss — Mon, 16 Oct 2023 12:46:37 GMT

Hello @gcusello

No, i want to find Computernames that are not conform to a naming convention.

The Computer name should start with the country code (e.g., Italy: IT, France: FR, USA: US), then followed by 6 digits.

Computer Name: US111220 => Good

Computer Name: DESKTOP-121 => BAD

Computer Name: FR000121 => Good

Computer Name: Kali => BAD

Best Regards,

Re: non-compliant naming convention for workstations

gcusello — Mon, 16 Oct 2023 13:02:51 GMT

Hi @karimoss,

in this case, you have to create a regex to search for ComputerName:

something like this:

| regex ComputerName!="^?![A-Z]{2}\d{6}"

Ciao.

Giuseppe

Re: non-compliant naming convention for workstations

somesoni2 — Mon, 16 Oct 2023 14:21:49 GMT

Give this a try

Your base search to get all workstation names e.g. | tstats count WHERE index=windows by host | searc NOT ([| inputlookup code_countries.csv | table alpha-2 | eval host='aplha-2'."*" | table host]) | where match(host,"^\w{3}\d+")