TIA. This has probably been asked and answered dozens of times but my brain is now mush.
The following search gives me a column named "Account_Name":
eventtype=wineventlog_security EventCode=4768 (Result_Code=0x12 OR Result_Code=0x17) Client_Address!="*123.456.789.4*" | regex Account_Name="^[^\\$]+$" | stats count by Account_Name dest_nt_host dest_nt_domain Client_Address | dedup Account_Name keepevents=true | where count>7 | sort -count
I have a lookup search that produces "DisabledUsers.csv" where the first column is "sAMAccountName". I want to output the matches, in other words, the users that are common to both sources: the accounts that are identical between "Account_Name" and "sAMAccountName".
Suggestions?
eventtype=wineventlog_security EventCode=4768 (Result_Code=0x12 OR Result_Code=0x17) Client_Address!="123.456.789.4" | regex Account_Name="^[^\\$]+$" | stats count by Account_Name dest_nt_host dest_nt_domain Client_Address | dedup Account_Name keepevents=true | where count>7 | sort -count| join Account_Name[|inputlookup DisabledUsers.csv| rename "sAMAccountName" as Account_Name]
eventtype=wineventlog_security EventCode=4768 (Result_Code=0x12 OR Result_Code=0x17) Client_Address!="123.456.789.4" | regex Account_Name="^[^\\$]+$" | stats count by Account_Name dest_nt_host dest_nt_domain Client_Address | dedup Account_Name keepevents=true | where count>7 | sort -count| join Account_Name[|inputlookup DisabledUsers.csv| rename "sAMAccountName" as Account_Name]