Actually, after recopying your suggestion into the search, it appears to be working correctly. Its possible that I somehow botched the search syntax the first time. For the record, this is the search that is working now:
index=wineventlog sourcetype=WinEventLog:Security EventCode=560 OR EventCode=4663 OR EventCode=5145 NOT user=*$
| lookup lookup_wild_folder folder_lookup AS folder_name, server AS host OUTPUT group_lookup user_lookup file_exceptions
| eval user=if(isnull(Object_Name),null,user)
| eval user=if(match(Object_Name,folder_lookup),null,user)
| eval user=if(match(user_lookup,user),null,user)
| eval user=if(match(Object_Name,file_exceptions),null,user)
| table user host folder_lookup folder_name Object_Name Message group_lookup
| ldapfilter domain=default search="(sAMAccountName=$user$)" attrs="memberOf"
| rex field=memberOf "^CN=(?[^,]+)"
| eval allowed_groups=split(group_lookup,"::")
| eval temp=mvdedup(mvappend(group_name,allowed_groups))
| eval user=if(mvcount(temp)=(mvcount(group_name) + mvcount(allowed_groups)),user,null)
| search user!=null
| table user host Object_Name allowed_groups group_name temp
The lookup_wild_folder CSV structure is still the same:
server,folder_lookup,folder_out,group_lookup,user_lookup,file_exceptions
SERVERNAME,D:Docstore*,D:Docstore,GROUP1::Group2,::USER1::USER2::USER3::,
... View more