Hey All,
I am attempting to write a search that looks for AD group add/removals for specific groups executed by specific users.
I would like to use a lookup list for the AD group names but am a little unsure the best way to write the search. My results should be any group modifications for any of the groups listed in the lookup not performed by a single account.
This is what I have so far:
index=wineventlog EventCode IN (4728,4729)
| eval SubjectAcct=mvindex(Account_Name,0)
| eval TargetAcct=mvindex(Account_Name,1)
| search SubjectAcct!=ACCT AND Group_Name="GROUP"
| table _time name Group_Name SubjectAcct TargetAcct
This is what finally ended up working for me.
index=wineventlog EventCode IN (4728,4729)
[inputlookup rbacgroups]
| eval Subject_Acct=mvindex(Account_Name,0)
| eval Target_Acct=mvindex(Account_Name,1)
| search Subject_Acct!=ACCT
| table _time Group_Name Subject_Acct Target_Acct
This was working with one entry in the lookup file but not that I have multiple entries my search returns no results. Why is it so difficult in splunk to have one field searched against with the contents of a lookup file? It almost seems easier just to make a massive search string at some point.
index=wineventlog EventCode IN (4728,4729)
| eval SubjectAcct=mvindex(Account_Name,0)
| eval TargetAcct=mvindex(Account_Name,1)
| lookup yourADgroup Group_Name OUTPUT Group_Name as result
| where isnotnull(result) AND SubjectAcct!="ACCT"
| table _time name Group_Name SubjectAcct TargetAcct
or
index=wineventlog EventCode IN (4728,4729)
| eval SubjectAcct=mvindex(Account_Name,0)
| eval TargetAcct=mvindex(Account_Name,1)
| join Group_Name [|inputlookup yourADgroup]
| search SubjectAcct!="ACCT"
| table _time name Group_Name SubjectAcct TargetAcct
Hey @to4kawa,
Thanks for the assistance, I don't quite think I have it right still.
I want to match events that meet all the conditions including Group_Name matching a group name in the lookup list.
Lookup list name: RBACGROUPS
Column Name: GROUP
Field to search against: Group_Name
I have tried creating .csv's three different ways for my lookup list and all still end up generating the error:
Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table.
I have created in Excel, notepad ++, and vi.
Its a simple lookup file with one column header and two entries.
GROUP
"Test Group 1",
"Test Group 2"
https://answers.splunk.com/answers/497853/my-lookup-in-a-macro-works-in-a-search-but-why-doe.html
I don't know your query. maybe, lookup
is wrong.
I tried both of your example queries and the join query doesn't return any results and the lookup query gives the error.
This should be much easier than this to match events based on lookup values.
My queries won't budge unless you fix them.
because yourADgroup
is nothing.