Solved: Splunk Enterprise Security :Correlation search for...

MikeVenable · ‎07-09-2019

I'm trying to create a correlation search that imports a lookup table called ExpiredIdentities.csv then it takes all the entries in the Identity field and runs an independent search for any activity(events) associated with that identity.
Thanks for the help.

tiagofbmm · ‎07-09-2019

How about using that lookup with the ExpiredIdentities.csv like

ID ExpDate
A x
B y

Then run a search on whatever data you may have about that identity:

index=foo sourcetype=bar | lookup ID OUTPUT ExpDate | where _time>ExpDate

Or just create a lookup associated directly with the the sourcetype "bar" and have it run automatically

View solution in original post

tiagofbmm · ‎07-09-2019

How about using that lookup with the ExpiredIdentities.csv like

ID ExpDate
A x
B y

Then run a search on whatever data you may have about that identity:

index=foo sourcetype=bar | lookup ID OUTPUT ExpDate | where _time>ExpDate

Or just create a lookup associated directly with the the sourcetype "bar" and have it run automatically

MikeVenable · ‎07-10-2019

Thanks for the help!

MikeVenable · ‎07-09-2019

Forgot to add Only events past expired date.

Splunk Enterprise Security :Correlation search for expired identity activity from a lookup table

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?