My scenario is that I am trying to alert in the event where a user has been provided to an application but that same user wasn't added to an Active Directory group . So I have the following 2 indexes that provide me the information
Application Access is in "index=myapp"
Active Directory is in the "index=ad"
My search for a new user being given access to the application is something such as
My search for a user being added to an Active Directory group is
index=ad EventCode=4728 Group_Name="myapp_users"
I have tried the following searches that provide me with data but I can't figure out the next step to show where my objective is met (i.e. where the user didn't get added to the group but was given access to the app).
In my example I will get 3 returned results. USERA which was added to the application AND was added as a member to the AD group; USERB which was added to the application AND was added as a member to the AD group; and USERC which was added to the application but NOT added as a member to the AD group (myapp_users). The problem becomes that in the results that are returned I see
(index=myapp AND Operation=Creation AND user_object="firstname.lastname@example.org") OR (index=ad AND EventCode=4728" AND Group_Name="myapp_users")
| rename user_object as app_newuser
| rename user AS adperm_user
| rex field=adperm_user "^(?<extracteduser>[^\,]+)"
| rex field=extracteduser "(?<CNAttrib>CN=(?<user>.+))"
| eval app_newuser=split(app_newuser,"@")
| eval user=mvindex(app_newuser,0)
| eval user=lower(user)
| stats values(*) as * by user
| fillnull value="NA" Group_Name
| where Group_Name="NA"
Essentially, extract the user from whichever field it appears in, then "join" with stats, finally determine which users don't have an entry in AD
You may need to play around with field names depending on your actually data e.g. you might want to remove fields you are not interested in before the stats values(*)