Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to detect non team member logon a team workstation?

samlinsongguo
Communicator
‎05-17-2017 09:02 PM

I have a list contain all team members name and windows workstation logon event is collected in Splunk. Could anyone give me an idea about how can I alert if any user logon that workstation is not belong to the team?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aakwah
Builder
‎05-18-2017 02:03 AM

Hello,

Nice use case, you can achieve this by defining a CSV lookup.

The CSV file will have 2 columns, the first one is member name and the second one is Membership status, something like that:

user, membership_status
User1,Yes
User2,Yes
User3,Yes
User4,Yes

Your events should include the user filed (first coulmn header).

Define the lookup in in transforms.conf

[Team_Members_lookup]
filename = team_members.csv
default_match = No

CSV file location:

/lookups/team_members.csv

You search query can be like this:

sourcetype=winlogs | lookup Team_Members_lookup user OUTPUT membership_status | search dest_machine=Serv123 membership_status=No

This lookup enriches the logs with a new field membership_status, its value will be "Yes" if the user is on the csv file otherwise it will be "No"

You can add the lookup to props.conf to be applied automatically on a certain sourcetype, and in this case you don't need to put "lookup Team_Members_lookup user OUTPUT membership_status" in your query, but it may have some performance impact as the lookup is applied in all searches.

Regards

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎05-18-2017 02:04 AM

Have the list of members in a lookup and then form a query like this -

Lookup -

teammembers_lookup.csv 
user,status
user1,active
user2,active

Query -

sourcetype="WinEventLog:Security" eventtype="msad-successful-user-logons" | stats count by user | lookup teammembers_lookup.csv user OUTPUT status | fillnull value="-" status | search status!="active"
0 Karma
Reply
Solved! Jump to solution
Solution

aakwah
Builder
‎05-18-2017 02:03 AM

Hello,

Nice use case, you can achieve this by defining a CSV lookup.

The CSV file will have 2 columns, the first one is member name and the second one is Membership status, something like that:

user, membership_status
User1,Yes
User2,Yes
User3,Yes
User4,Yes

Your events should include the user filed (first coulmn header).

Define the lookup in in transforms.conf

[Team_Members_lookup]
filename = team_members.csv
default_match = No

CSV file location:

/lookups/team_members.csv

You search query can be like this:

sourcetype=winlogs | lookup Team_Members_lookup user OUTPUT membership_status | search dest_machine=Serv123 membership_status=No

This lookup enriches the logs with a new field membership_status, its value will be "Yes" if the user is on the csv file otherwise it will be "No"

You can add the lookup to props.conf to be applied automatically on a certain sourcetype, and in this case you don't need to put "lookup Team_Members_lookup user OUTPUT membership_status" in your query, but it may have some performance impact as the lookup is applied in all searches.

Regards

0 Karma
Reply
Solved! Jump to solution

samlinsongguo
Communicator
‎05-18-2017 07:10 PM

HI
Thank you for your answer, but when I do
sourcetype=winlogs | lookup Team_Members_lookup user OUTPUT membership_status
it doesnt return me anything. and I found the lookup does add the value to the event, do you know why is that?
Cheers

0 Karma
Reply
Solved! Jump to solution

aakwah
Builder
‎05-18-2017 11:21 PM

Hello,
Welcome.

The first column name in CSV file should have the field name that contains the username.

please provide the following details about your logs:
Sourcetype
Filed name that contains the user name
Column names of CSV file
Field name that contains machine name

Regards,

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...