Splunk Enterprise Security

Splunk Enterprise Security :Correlation search for expired identity activity from a lookup table

Path Finder

I'm trying to create a correlation search that imports a lookup table called ExpiredIdentities.csv then it takes all the entries in the Identity field and runs an independent search for any activity(events) associated with that identity.
Thanks for the help.

0 Karma
1 Solution

Influencer

How about using that lookup with the ExpiredIdentities.csv like

ID ExpDate
A x
B y

Then run a search on whatever data you may have about that identity:

index=foo sourcetype=bar | lookup ID OUTPUT ExpDate | where _time>ExpDate

Or just create a lookup associated directly with the the sourcetype "bar" and have it run automatically

View solution in original post

0 Karma

Influencer

How about using that lookup with the ExpiredIdentities.csv like

ID ExpDate
A x
B y

Then run a search on whatever data you may have about that identity:

index=foo sourcetype=bar | lookup ID OUTPUT ExpDate | where _time>ExpDate

Or just create a lookup associated directly with the the sourcetype "bar" and have it run automatically

View solution in original post

0 Karma

Path Finder

Thanks for the help!

0 Karma

Path Finder

Forgot to add Only events past expired date.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!