Splunk Search

Another lookup question

Explorer

I have this working:

| lookup SensitiveGroups.csv Target_Account_Name OUTPUT CSV_Priority | search CSV_Priority="Low" | table _time, Target_Account_Name, Member_ID, Caller_User_Name,CSV_Priority

SensitiveGroups.csv Below


Target_Account_Name,CSV_Priority

Administrators,Low
Domain Admins,Low

Now this will create a table that lists changes to Target_Account_Name field where it equals Administrators or Domain Admins.
This Works

But, I'm not doing a file/folder audit change one, based on other event codes, etc. where the path of the file being changed could be c:\blah\blah\example.txt, so I want to flag where field Object contains c:\blah\blah

I could obviously create a lookup file like this, which would tell me when an event pops up with the exact file path in:

Object,CSV_Priority

c:\blah\blah\example.txt,Low

Using similar rule as above, but it would miss c:\blah\blah\example2.txt, so I want to use a file like below where any object containing c:\blah\blah gets flagged and reported, so not an equals in the lookup, but a contains.

Object,CSV_Priority

c:\blah\blah,Low

Tags (2)
0 Karma
1 Solution

Contributor

Use something like this which can take wild characters like * for a value in column in lookup table
so u can use this in lookup table

Object,Priority
C:/blah*,Low

And in transforms add

[SensitiveGroups]
filename =  SensitiveGroups.csv
match_type = WILDCARD(Object)
case_sensitive_match = false

Then use query like this

lookup SensitiveGroups Target_Account_Name OUTPUT CSV_Priority | search CSV_Priority="Low" | table _time, Target_Account_Name, Member_ID, Caller_User_Name,CSV_Priority

View solution in original post

Contributor

Use something like this which can take wild characters like * for a value in column in lookup table
so u can use this in lookup table

Object,Priority
C:/blah*,Low

And in transforms add

[SensitiveGroups]
filename =  SensitiveGroups.csv
match_type = WILDCARD(Object)
case_sensitive_match = false

Then use query like this

lookup SensitiveGroups Target_Account_Name OUTPUT CSV_Priority | search CSV_Priority="Low" | table _time, Target_Account_Name, Member_ID, Caller_User_Name,CSV_Priority

View solution in original post

Explorer

This is the search I used

index="windows_server_events" host="server1" EventCode=560 Type="audit success"

|

lookup FileChanges Object_Name OUTPUT csv_host, csv_name

|

search csv_name="*"

|

table _time,host,Object_Name,Client_User_Name,csv_name,csv_host


With this CSV

csv_host,csv_name,Object_Name

server1,folder change test,*E:\Inetpub\*

And this transforms

[FileChanges]

filename = FileChanges.csv

match_type = WILDCARD(Object_Name)

case_sensitive_match = false

0 Karma

Explorer

Works great, found I had to put this in though


search csv_name="*"

What are the reasons for using the transforms file rather than .csv in search like I was doing?

0 Karma