Dear Experts,
I need to write the custom search where user x can login from 5 sources , I am thinking to use lookup( 5 allowed Source IP) , Suppose if user login not from this lookup table(alloweduser) where field name IP. I should get a alert .
I would use an eventtype
and then everyone can use the same one (referentially) and you have only 1 place to modify it such that the change is instantly effective everywhere; use eventtypes.conf
like this:
[USER_X_DISALLOWED LOGINS]
search = user="X" IP!="A" IP!="B" IP!="C" IP!="D" IP!="E"
[DISALLOWED LOGINS]
search = IP!="F" IP!="G" IP!="H" IP!="I" IP!="J"
Then you search like this:
eventtype=USER_X_DISALLOWED LOGINS
I would use an eventtype
and then everyone can use the same one (referentially) and you have only 1 place to modify it such that the change is instantly effective everywhere; use eventtypes.conf
like this:
[USER_X_DISALLOWED LOGINS]
search = user="X" IP!="A" IP!="B" IP!="C" IP!="D" IP!="E"
[DISALLOWED LOGINS]
search = IP!="F" IP!="G" IP!="H" IP!="I" IP!="J"
Then you search like this:
eventtype=USER_X_DISALLOWED LOGINS