non-compliant naming convention for workstations

karimoss · ‎10-16-2023

Hello,

I want to detect workstations authenticated to the active directory that are not compliant with our naming conventions.( hostname should start with the country code followed by 6 numbers. Exemple for a host from italy :IT000121).

I have already a lookup file (| inputlookup code_countries.csv | table alpha-2), but I don't know how to compare it with the 'Workstation' field in my active index to make it match the naming convention I described above.

Regards,

somesoni2 · ‎10-16-2023

Give this a try

Your base search to get all workstation names e.g. | tstats count WHERE index=windows by host
| searc NOT ([| inputlookup code_countries.csv | table alpha-2 | eval host='aplha-2'."*" | table host])
| where match(host,"^\w{3}\d+")

gcusello · ‎10-16-2023

Hi @karimossl,

let me understand: do you want to find all the Computernames from Active Directory logs that aren't in the lookup or what else?

if this is your requirement, you could run:

index=win* NOT [ | inputlookup code_countries.csv | rename alpha-2 AS ComputerName | fields ComputerName ]
| dedup ComputerName
| sort ComputerName
| table ComputerName

Ciao.

Giuseppe

karimoss · ‎10-16-2023

Hello @gcusello

No, i want to find Computernames that are not conform to a naming convention.

The Computer name should start with the country code (e.g., Italy: IT, France: FR, USA: US), then followed by 6 digits.

Computer Name: US111220 => Good

Computer Name: DESKTOP-121 => BAD

Computer Name: FR000121 => Good

Computer Name: Kali => BAD

Best Regards,

gcusello · ‎10-16-2023

Hi @karimoss,

in this case, you have to create a regex to search for ComputerName:

something like this:

| regex ComputerName!="^?![A-Z]{2}\d{6}"

Ciao.

Giuseppe

non-compliant naming convention for workstations

join

regex

rex

subsearch

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel