Splunk Search

How do I create an overall alert while ignoring events for specific field combinations?

jmaple
Communicator

I'm trying to alert on a specific event code but there are certain combinations where these event codes are acceptable and I want to exclude them from my results but for some reason, I'm having trouble getting it to ignore accepted events without excluding them outright.

For instance, our service desk is allowed to make specific edits within our AD infrastructure but we use Quest ARS for everything else and we want to be notified when a user makes an AD modification to a user outside of this event combination so here is my base search:

index=wineventlog sourcetype=*Security EventCode=5136 Class=user LDAP_Display_Name!=userCertificate

From here I want to exclude the title of our "Account_Name" field (which is brought in using a lookup) with the specific "LDAP_Display_Name" field value of "altSecurityIdentity". I thought this would do it:

[base search] | where (LDAP_Display_Name!=altSecurityIdentity AND userTitle!="*help desk*")

But that doesn't take both arguments in account. It does one then the other. How do I get it to accept both arguments as one?

0 Karma
1 Solution

jmaple
Communicator

So rather than do the "where" statement, I just added the "NOT ..." statement in the base search and it seems to do it.

index=wineventlog sourcetype=*Security EventCode=5136 Class=user LDAP_Display_Name!=userCertificate NOT (LDAP_Display_Name=altSecurityIdentities AND (userTitle="*help desk*" OR userTitle="*service desk*"))

View solution in original post

0 Karma

jmaple
Communicator

So rather than do the "where" statement, I just added the "NOT ..." statement in the base search and it seems to do it.

index=wineventlog sourcetype=*Security EventCode=5136 Class=user LDAP_Display_Name!=userCertificate NOT (LDAP_Display_Name=altSecurityIdentities AND (userTitle="*help desk*" OR userTitle="*service desk*"))
0 Karma

somesoni2
Revered Legend

Try this

[base search] | where NOT (LDAP_Display_Name="altSecurityIdentity" AND userTitle="*help desk*")

jmaple
Communicator

Looks like there is no change. There a couple of different titles I need to filter so I tried one of them and it still came up as a result.

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...