Hi, There is an alarm monitoring the 4733(A member was removed from a security-enabled local group ) events. When this alarm is triggered, I want the user to be deleted from the users.cvs lookup. how can I do it? Thanks,
... View more
One last question; How can I add a query to avoid duplicate lines in the csv file? I used the dedup command, but this does not prevent duplicate lines in the csv file.
... View more
Thanks, I want to add a row to an existing column in the csv file. Existing records in the csv file should not be deleted. For example, I want to take user information in the windows event and add it as a row. Is it not possible to do it from the "trigger actions" section?
... View more
Hi, When an alarm is triggered, I want a field inside the event (e.g user) to be added to a preexisting lookup file. How can I do? Thanks,
... View more
the field src_user that I want to query in the event. I only have "user" field in the adminuser.csv file. What does src_ip mean in the query you mentioned? Do you mean the field in the csv file?
... View more
Hi, I will create an alert that tracks Windows (event id = 4726 - A user account was deleted) events. I have a user list named "user" in the adminuser.csv file. I want to exclude these users. how can I do it? Should I use lookup or inputlookup? which one is more efficient? The following query does not return the result I want. index = wineventlog source = "WinEventLog: Security" EventCode = 4726 | search src_user NOT [ | inputlookup adminuser.csv]
... View more