Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create an overall alert while ignoring events for specific field combinations?

jmaple
Communicator
‎12-27-2016 09:02 AM

I'm trying to alert on a specific event code but there are certain combinations where these event codes are acceptable and I want to exclude them from my results but for some reason, I'm having trouble getting it to ignore accepted events without excluding them outright.

For instance, our service desk is allowed to make specific edits within our AD infrastructure but we use Quest ARS for everything else and we want to be notified when a user makes an AD modification to a user outside of this event combination so here is my base search:

index=wineventlog sourcetype=*Security EventCode=5136 Class=user LDAP_Display_Name!=userCertificate

From here I want to exclude the title of our "Account_Name" field (which is brought in using a lookup) with the specific "LDAP_Display_Name" field value of "altSecurityIdentity". I thought this would do it:

[base search] | where (LDAP_Display_Name!=altSecurityIdentity AND userTitle!="*help desk*")

But that doesn't take both arguments in account. It does one then the other. How do I get it to accept both arguments as one?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jmaple
Communicator
‎12-27-2016 09:42 AM

So rather than do the "where" statement, I just added the "NOT ..." statement in the base search and it seems to do it.

index=wineventlog sourcetype=*Security EventCode=5136 Class=user LDAP_Display_Name!=userCertificate NOT (LDAP_Display_Name=altSecurityIdentities AND (userTitle="*help desk*" OR userTitle="*service desk*"))

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jmaple
Communicator
‎12-27-2016 09:42 AM

So rather than do the "where" statement, I just added the "NOT ..." statement in the base search and it seems to do it.

index=wineventlog sourcetype=*Security EventCode=5136 Class=user LDAP_Display_Name!=userCertificate NOT (LDAP_Display_Name=altSecurityIdentities AND (userTitle="*help desk*" OR userTitle="*service desk*"))
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-27-2016 09:27 AM

Try this

[base search] | where NOT (LDAP_Display_Name="altSecurityIdentity" AND userTitle="*help desk*")
Reply
Solved! Jump to solution

jmaple
Communicator
‎12-27-2016 09:32 AM

Looks like there is no change. There a couple of different titles I need to filter so I tried one of them and it still came up as a result.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...