Splunk Enterprise Security

Splunk Enterprise Security :Correlation search for expired identity activity from a lookup table

Path Finder

I'm trying to create a correlation search that imports a lookup table called ExpiredIdentities.csv then it takes all the entries in the Identity field and runs an independent search for any activity(events) associated with that identity.
Thanks for the help.

0 Karma
1 Solution

Influencer

How about using that lookup with the ExpiredIdentities.csv like

ID ExpDate
A x
B y

Then run a search on whatever data you may have about that identity:

index=foo sourcetype=bar | lookup ID OUTPUT ExpDate | where _time>ExpDate

Or just create a lookup associated directly with the the sourcetype "bar" and have it run automatically

View solution in original post

0 Karma

Influencer

How about using that lookup with the ExpiredIdentities.csv like

ID ExpDate
A x
B y

Then run a search on whatever data you may have about that identity:

index=foo sourcetype=bar | lookup ID OUTPUT ExpDate | where _time>ExpDate

Or just create a lookup associated directly with the the sourcetype "bar" and have it run automatically

View solution in original post

0 Karma

Path Finder

Thanks for the help!

0 Karma

Path Finder

Forgot to add Only events past expired date.

0 Karma