I have an alert to discover logins from accounts on servers and workstations. Some of these logins are normal and so I am attempting to create an exclusion for these events. This is a discovery process, and a list of normal logins is not known. At the moment, the exclusions are done with individual search commands for readability. But this query search lines are getting bigger by the day.
<base-search>
| search NOT (accountName=svcAPP01 AND computerName=srv-APP1-blah)
| search NOT (accountName=svcAPP02 AND computerName=srv-APP02-*)
| search NOT (accountName=svcAPP03 AND computerName=srv-APP03-blah computerName=ws-somename-blah)
| table _time, accountName, computerName
Is it possible to create an inputlookup table for such an exclusion, where the criteria are a combination of two fields; accountName and computerName?
Hi @geoffmoraes,
if you can define all the pairs accountName and computerName and the correlation is always NOT (accountName AND computerName) , you can put them in a lookup (called e.g. search_patterns.csv) containing only two fields (accountName and computerName) and use it in a search, something like this:
your search NOT [ | inputlookup search_patterns.csv | fields accountName computerName ]
| ...
Ciao.
Giuseppe
@gcusello That worked. Thanks!
Hi @geoffmoraes,
if you can define all the pairs accountName and computerName and the correlation is always NOT (accountName AND computerName) , you can put them in a lookup (called e.g. search_patterns.csv) containing only two fields (accountName and computerName) and use it in a search, something like this:
your search NOT [ | inputlookup search_patterns.csv | fields accountName computerName ]
| ...
Ciao.
Giuseppe