I've spent considerable time trying to get this to work and have searched topics but nothing appears to get me where I am trying to go.
I'm trying to pull values from a field in a search and then see if they exist in a lookuptable.
The search is like:
inex=win sourcetype=windows:security logs EventType=4722
The value I am interested in here is under the field Target_Account_Account_Name
I have a loookup table ad_dump.csv that stores AD Attributes. The fields I am interested in here are Enabled and SamAccountName.
I am trying to find users who's account was disabled and recently enabled. There may be an easier way to accomplish this and I am open to suggestions but where I am at this is what I am trying to do.
Run the search to pull the field Target_Account_Account_Name and see if that identical value exists in the SamAccountName field from the lookup if their Enabled field is equal to False.