How to outputlookup historic IP activity / userID ...

Log_wrangler · ‎07-10-2018

I created this PART 2 as the previous thread is getting long.

Recap: I am trying to monitor login behavior to an online application using WAF logs. The userID may be associated with multiple sourceIP(s).

I use the following query to create a reference point, historic_login_list.csv. (I run this for last 90 days but not include current day)

index=waf sourcetype=waf_logs " key words" | stats count  by  userID  sourceIP GeoLoc | dedup userID sourceIP| outputlookup append=f historic_login_list.csv

I use the following query to compare results to the reference list.

 index=waf sourcetype=waf_logs " key words" | fillnull value=NULL userID | stats count  by  userID  sourceIP GeoLoc  _time| dedup]userID sourceIP| search NOT [|inputlookup historic_login_list.csv |fields userID sourceIP GeoLoc]

I use a fill null in the comparative query as it picks errors, and I added _time for investigative purposes.
I have scrubbed the historic list csv to discard data that is unusual or not a normal reference point.

Does anyone know of a better way to do this??? and get the results that I am after...

I appreciate any suggestions to improve or make more efficient.

Thank you for your review.

How to outputlookup historic IP activity / userID and create an alert that will occur if the IP address is not on the historic IP activity list? (PART 2)

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?