Splunk Enterprise Security

Splunk Enterprise Security :Correlation search for expired identity activity from a lookup table

MikeVenable
Path Finder

I'm trying to create a correlation search that imports a lookup table called ExpiredIdentities.csv then it takes all the entries in the Identity field and runs an independent search for any activity(events) associated with that identity.
Thanks for the help.

0 Karma
1 Solution

tiagofbmm
Influencer

How about using that lookup with the ExpiredIdentities.csv like

ID ExpDate
A x
B y

Then run a search on whatever data you may have about that identity:

index=foo sourcetype=bar | lookup ID OUTPUT ExpDate | where _time>ExpDate

Or just create a lookup associated directly with the the sourcetype "bar" and have it run automatically

View solution in original post

0 Karma

tiagofbmm
Influencer

How about using that lookup with the ExpiredIdentities.csv like

ID ExpDate
A x
B y

Then run a search on whatever data you may have about that identity:

index=foo sourcetype=bar | lookup ID OUTPUT ExpDate | where _time>ExpDate

Or just create a lookup associated directly with the the sourcetype "bar" and have it run automatically

0 Karma

MikeVenable
Path Finder

Thanks for the help!

0 Karma

MikeVenable
Path Finder

Forgot to add Only events past expired date.

0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...