Splunk Enterprise Security

Correlation search using lookup table

tromero3
Path Finder

I have a lookup table that consists of AD groups with the fields Group, is_privileged, and Type. I need to create a correlation search that looks at my windows events for EventID=4728 OR EventID=4732 OR EventID=4756 and if the "Group_Name" field in the event matches the Group field in the lookup table, I want it to show results.

This is what I have but it is not showing the events that match. Any advice?

index=windows EventID=4728 OR EventID=4732 OR EventID=4756 | lookup AD_groups Group AS Group_Name OUTPUT is_privileged AS privileged | where is_privileged="True"

0 Karma

aberkow
Builder

index=windows EventID=4728 OR EventID=4732 OR EventID=4756 | lookup AD_groups Group AS Group_Name OUTPUT is_privileged AS privileged | where is_privileged="True"

I think you renamed is_privileged to privileged and then searched for is_privileged instead of privileged.

As a side note: debugging line by line is a really powerful way to figure out where your bugs are in Splunk code, since SPL is a unix based language the output of one search goes directly into the input of another. So to find a bug in the last pipe, go pipe by pipe until you find the bug. In your case, if you run the search just after the lookup command you would probably see values for privileged, which could clue that the values are there and the field name might be incorrect.

Hope this helps!

EDIT: I prefer search for string comparison, as that's it's core functionality and I'm less likely to hit a mismatch in comparisons. where is more commonly used for field comparisons, i.e. field1 = field2, field1 > field2 etc

0 Karma
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Index This | What’s a riddle wrapped in an enigma?

September 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

BORE at .conf25

Boss Of Regular Expression (BORE) was an interactive session run again this year at .conf25 by the brilliant ...

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...