Hi,
I will create an alert that tracks Windows (event id = 4726 - A user account was deleted) events.
I have a user list named "user" in the adminuser.csv file. I want to exclude these users. how can I do it? Should I use lookup or inputlookup? which one is more efficient?
The following query does not return the result I want.
index = wineventlog source = "WinEventLog: Security" EventCode = 4726 | search src_user NOT [ | inputlookup adminuser.csv]
Hi @sfurkan,
Using inputlookup is better since it will filter events as early as possible.
index = wineventlog source = "WinEventLog: Security" EventCode = 4726 NOT [| inputlookup adminuser.csv | fields user | rename user as src_user]
I noticed and fixed my query after posting. I think you read before my edit. Please check my reply again. I changed it to src_user. It will compare user field in csv with src_user in events.
the field src_user that I want to query in the event.
I only have "user" field in the adminuser.csv file.
What does src_ip mean in the query you mentioned? Do you mean the field in the csv file?
Hi @sfurkan,
Using inputlookup is better since it will filter events as early as possible.
index = wineventlog source = "WinEventLog: Security" EventCode = 4726 NOT [| inputlookup adminuser.csv | fields user | rename user as src_user]