Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Correlation search using lookup table

tromero3
Path Finder
‎01-08-2020 09:19 AM

I have a lookup table that consists of AD groups with the fields Group, is_privileged, and Type. I need to create a correlation search that looks at my windows events for EventID=4728 OR EventID=4732 OR EventID=4756 and if the "Group_Name" field in the event matches the Group field in the lookup table, I want it to show results.

This is what I have but it is not showing the events that match. Any advice?

index=windows EventID=4728 OR EventID=4732 OR EventID=4756 | lookup AD_groups Group AS Group_Name OUTPUT is_privileged AS privileged | where is_privileged="True"

0 Karma
Reply

aberkow
Builder
‎01-08-2020 12:49 PM

index=windows EventID=4728 OR EventID=4732 OR EventID=4756 | lookup AD_groups Group AS Group_Name OUTPUT is_privileged AS privileged | where is_privileged="True"

I think you renamed is_privileged to privileged and then searched for is_privileged instead of privileged.

As a side note: debugging line by line is a really powerful way to figure out where your bugs are in Splunk code, since SPL is a unix based language the output of one search goes directly into the input of another. So to find a bug in the last pipe, go pipe by pipe until you find the bug. In your case, if you run the search just after the lookup command you would probably see values for privileged, which could clue that the values are there and the field name might be incorrect.

Hope this helps!

EDIT: I prefer search for string comparison, as that's it's core functionality and I'm less likely to hit a mismatch in comparisons. where is more commonly used for field comparisons, i.e. field1 = field2, field1 > field2 etc

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...