Splunk Search

How do I create an overall alert while ignoring events for specific field combinations?

jmaple
Communicator

I'm trying to alert on a specific event code but there are certain combinations where these event codes are acceptable and I want to exclude them from my results but for some reason, I'm having trouble getting it to ignore accepted events without excluding them outright.

For instance, our service desk is allowed to make specific edits within our AD infrastructure but we use Quest ARS for everything else and we want to be notified when a user makes an AD modification to a user outside of this event combination so here is my base search:

index=wineventlog sourcetype=*Security EventCode=5136 Class=user LDAP_Display_Name!=userCertificate

From here I want to exclude the title of our "Account_Name" field (which is brought in using a lookup) with the specific "LDAP_Display_Name" field value of "altSecurityIdentity". I thought this would do it:

[base search] | where (LDAP_Display_Name!=altSecurityIdentity AND userTitle!="*help desk*")

But that doesn't take both arguments in account. It does one then the other. How do I get it to accept both arguments as one?

0 Karma
1 Solution

jmaple
Communicator

So rather than do the "where" statement, I just added the "NOT ..." statement in the base search and it seems to do it.

index=wineventlog sourcetype=*Security EventCode=5136 Class=user LDAP_Display_Name!=userCertificate NOT (LDAP_Display_Name=altSecurityIdentities AND (userTitle="*help desk*" OR userTitle="*service desk*"))

View solution in original post

0 Karma

jmaple
Communicator

So rather than do the "where" statement, I just added the "NOT ..." statement in the base search and it seems to do it.

index=wineventlog sourcetype=*Security EventCode=5136 Class=user LDAP_Display_Name!=userCertificate NOT (LDAP_Display_Name=altSecurityIdentities AND (userTitle="*help desk*" OR userTitle="*service desk*"))

View solution in original post

0 Karma

somesoni2
Revered Legend

Try this

[base search] | where NOT (LDAP_Display_Name="altSecurityIdentity" AND userTitle="*help desk*")

jmaple
Communicator

Looks like there is no change. There a couple of different titles I need to filter so I tried one of them and it still came up as a result.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.