Re: domain accounts search csv

japonter · ‎07-03-2021

Hi,

i have been looking but cant seem to make much sense of it all. im new to splunk.

im trying to create a search and alert from a csv file, the csv fiel contains Domain Admin account and i wanted to creat a search for a numbers of eventid on those domain admin accounts.

index=win sourcetype=wineventlog EventCode=*the events im looking for* | inputlookup file.csv

but cant seem to make it work.

any help would be great

ITWhisperer · ‎07-03-2021

Do the field names from your search match the field names in your csv - you should have one that matches to be able to lookup in the csv

japonter · ‎07-06-2021

the usernames in the csv are name from a AD group called domain admin, if i search for them one by one i find there with the events id, but theres around 70 names and i want to use the csv file to make it easier to search for events with specific eventid with those names.

ITWhisperer · ‎07-06-2021

Can you share some events with the fields you want to match on and the same from the lookup file?

japonter · ‎07-06-2021

this is one of the events i want to search.

the csv file are just domain admin user names. one column one row of just names.

NOTE: I come from using QRadar for over 5 years, to using splunk for the first time, and i am finding it difficult to transition from one platform to another.

07/06/2021 10:11:23 AM

LogName=Security EventCode=4724

EventType=0 ComputerName=Localhost.local SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=13407054485 Keywords=Audit Success TaskCategory=User Account Management OpCode=Info Message=An attempt was made to reset an account's password.

domain accounts search csv

lookup

other

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases