- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a list contain all team members name and windows workstation logon event is collected in Splunk. Could anyone give me an idea about how can I alert if any user logon that workstation is not belong to the team?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Nice use case, you can achieve this by defining a CSV lookup.
The CSV file will have 2 columns, the first one is member name and the second one is Membership status, something like that:
user, membership_status
User1,Yes
User2,Yes
User3,Yes
User4,Yes
Your events should include the user filed (first coulmn header).
Define the lookup in in transforms.conf
[Team_Members_lookup]
filename = team_members.csv
default_match = No
CSV file location:
/lookups/team_members.csv
You search query can be like this:
sourcetype=winlogs | lookup Team_Members_lookup user OUTPUT membership_status | search dest_machine=Serv123 membership_status=No
This lookup enriches the logs with a new field membership_status, its value will be "Yes" if the user is on the csv file otherwise it will be "No"
You can add the lookup to props.conf to be applied automatically on a certain sourcetype, and in this case you don't need to put "lookup Team_Members_lookup user OUTPUT membership_status" in your query, but it may have some performance impact as the lookup is applied in all searches.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have the list of members in a lookup and then form a query like this -
Lookup -
teammembers_lookup.csv
user,status
user1,active
user2,active
Query -
sourcetype="WinEventLog:Security" eventtype="msad-successful-user-logons" | stats count by user | lookup teammembers_lookup.csv user OUTPUT status | fillnull value="-" status | search status!="active"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Nice use case, you can achieve this by defining a CSV lookup.
The CSV file will have 2 columns, the first one is member name and the second one is Membership status, something like that:
user, membership_status
User1,Yes
User2,Yes
User3,Yes
User4,Yes
Your events should include the user filed (first coulmn header).
Define the lookup in in transforms.conf
[Team_Members_lookup]
filename = team_members.csv
default_match = No
CSV file location:
/lookups/team_members.csv
You search query can be like this:
sourcetype=winlogs | lookup Team_Members_lookup user OUTPUT membership_status | search dest_machine=Serv123 membership_status=No
This lookup enriches the logs with a new field membership_status, its value will be "Yes" if the user is on the csv file otherwise it will be "No"
You can add the lookup to props.conf to be applied automatically on a certain sourcetype, and in this case you don't need to put "lookup Team_Members_lookup user OUTPUT membership_status" in your query, but it may have some performance impact as the lookup is applied in all searches.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI
Thank you for your answer, but when I do
sourcetype=winlogs | lookup Team_Members_lookup user OUTPUT membership_status
it doesnt return me anything. and I found the lookup does add the value to the event, do you know why is that?
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Welcome.
The first column name in CSV file should have the field name that contains the username.
please provide the following details about your logs:
Sourcetype
Filed name that contains the user name
Column names of CSV file
Field name that contains machine name
Regards,
