Splunk Enterprise Security

Splunk Enterprise Security :Correlation search for expired identity activity from a lookup table

MikeVenable
Path Finder

I'm trying to create a correlation search that imports a lookup table called ExpiredIdentities.csv then it takes all the entries in the Identity field and runs an independent search for any activity(events) associated with that identity.
Thanks for the help.

0 Karma
1 Solution

tiagofbmm
Influencer

How about using that lookup with the ExpiredIdentities.csv like

ID ExpDate
A x
B y

Then run a search on whatever data you may have about that identity:

index=foo sourcetype=bar | lookup ID OUTPUT ExpDate | where _time>ExpDate

Or just create a lookup associated directly with the the sourcetype "bar" and have it run automatically

View solution in original post

0 Karma

tiagofbmm
Influencer

How about using that lookup with the ExpiredIdentities.csv like

ID ExpDate
A x
B y

Then run a search on whatever data you may have about that identity:

index=foo sourcetype=bar | lookup ID OUTPUT ExpDate | where _time>ExpDate

Or just create a lookup associated directly with the the sourcetype "bar" and have it run automatically

View solution in original post

0 Karma

MikeVenable
Path Finder

Thanks for the help!

0 Karma

MikeVenable
Path Finder

Forgot to add Only events past expired date.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.