Splunk Search

How to create and trigger an alert when specific Active Directory users from a CSV file get locked out?

rashid47010
Communicator

I have one CSV file containing important user names. I want to create an alert/correlation rule whenever the user from that specific list get locked out.

0 Karma
1 Solution

sundareshr
Legend

Create a lookup table for the csv file you have. The csv file should have a column name same as the field in event log with user id. I assume it is Account_Name.

http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources

Then a query like this should give you the alert

index=windowslogs EventId=4740 [|inputlookup userlist.csv | table Account_Name] 

Setup an alert if count>0

http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Aboutalerts

View solution in original post

0 Karma

sundareshr
Legend

Create a lookup table for the csv file you have. The csv file should have a column name same as the field in event log with user id. I assume it is Account_Name.

http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources

Then a query like this should give you the alert

index=windowslogs EventId=4740 [|inputlookup userlist.csv | table Account_Name] 

Setup an alert if count>0

http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Aboutalerts

0 Karma

gfreitas
Builder

To achieve that you should create a lookup. A lookup will compare a field from a file and add some data to your current data indexed in splunk. Your csv should have at least the username field and another field, for exemple vip=yes. With that you will compare logs from AD and lookup them and find if a user is vip or not.
You can find more information on: http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...