Hi All,
First post on here. Hopefully this makes sense and isn't overly convoluted.
So, I have a datamodel correlation search in Enterprise Security that looks for accounts being deleted:
| from datamodel:"Change_Analysis"."Account_Management" | where 'tag'="delete" | search NOT "changed: /usr*" | stats max(_time) as "lastTime",latest(_raw) as "orig_raw",values(result) as "signature",values(src) as "src",values(dest) as "dest",count by "src_user","user" | where 'count'>0
This is great, however I have an access management team and I don't want their accounts to trigger a notable event. I understand that I can put exceptions in for each member of the team, but there would be an admin overhead to keep this up to date.
I have a ldapsearchthat extracts the surnames of the team members from active directory:
| ldapsearch search="(&(objectClass=group) (cn=*))" attrs="member,sAMAccountName" basedn="CN=<GroupName>,OU=<OU>,DC=<DC>"
| rex field=member "CN=([^,\d]*)* (?<Surnames>[^,\d]*)"
| table Surnames
| mvexpand Surnames
Is there a way to combine these searches and get the correlation search to look at the list of surnames and not trigger if a match is found? They won't be an exact match but the surname of the user will be present in the account name used to admin my DC.
Thanks all!!
... View more