First post on here. Hopefully this makes sense and isn't overly convoluted.
So, I have a datamodel correlation search in Enterprise Security that looks for accounts being deleted:
| from datamodel:"Change_Analysis"."Account_Management" | where 'tag'="delete" | search NOT "changed: /usr*" | stats max(_time) as "lastTime",latest(_raw) as "orig_raw",values(result) as "signature",values(src) as "src",values(dest) as "dest",count by "src_user","user" | where 'count'>0
This is great, however I have an access management team and I don't want their accounts to trigger a notable event. I understand that I can put exceptions in for each member of the team, but there would be an admin overhead to keep this up to date.
I have a ldapsearchthat extracts the surnames of the team members from active directory:
| ldapsearch search="(&(objectClass=group) (cn=*))" attrs="member,sAMAccountName" basedn="CN=<GroupName>,OU=<OU>,DC=<DC>"
| rex field=member "CN=([^,\d]*)* (?<Surnames>[^,\d]*)"
| table Surnames
| mvexpand Surnames
Is there a way to combine these searches and get the correlation search to look at the list of surnames and not trigger if a match is found? They won't be an exact match but the surname of the user will be present in the account name used to admin my DC.
... View more