Hi,

I will create an alert that tracks Windows (event id = 4726 - A user account was deleted) events.
I have a user list named "user" in the adminuser.csv file. I want to exclude these users. how can I do it? Should I use lookup or inputlookup? which one is more efficient?

The following query does not return the result I want.

index = wineventlog source = "WinEventLog: Security" EventCode = 4726 | search src_user NOT [ | inputlookup adminuser.csv]