I have this working:
| lookup SensitiveGroups.csv Target_Account_Name OUTPUT CSV_Priority | search CSV_Priority="Low" | table _time, Target_Account_Name, Member_ID, Caller_User_Name,CSV_Priority
SensitiveGroups.csv Below
Target_Account_Name,CSV_Priority
Administrators,Low
Domain Admins,Low
Now this will create a table that lists changes to Target_Account_Name field where it equals Administrators or Domain Admins.
This Works
But, I'm not doing a file/folder audit change one, based on other event codes, etc. where the path of the file being changed could be c:\blah\blah\example.txt, so I want to flag where field Object contains c:\blah\blah
I could obviously create a lookup file like this, which would tell me when an event pops up with the exact file path in:
Object,CSV_Priority
c:\blah\blah\example.txt,Low
Using similar rule as above, but it would miss c:\blah\blah\example2.txt, so I want to use a file like below where any object containing c:\blah\blah gets flagged and reported, so not an equals in the lookup, but a contains.
Object,CSV_Priority
c:\blah\blah,Low
Use something like this which can take wild characters like * for a value in column in lookup table
so u can use this in lookup table
Object,Priority
C:/blah*,Low
And in transforms add
[SensitiveGroups]
filename = SensitiveGroups.csv
match_type = WILDCARD(Object)
case_sensitive_match = false
Then use query like this
lookup SensitiveGroups Target_Account_Name OUTPUT CSV_Priority | search CSV_Priority="Low" | table _time, Target_Account_Name, Member_ID, Caller_User_Name,CSV_Priority
Use something like this which can take wild characters like * for a value in column in lookup table
so u can use this in lookup table
Object,Priority
C:/blah*,Low
And in transforms add
[SensitiveGroups]
filename = SensitiveGroups.csv
match_type = WILDCARD(Object)
case_sensitive_match = false
Then use query like this
lookup SensitiveGroups Target_Account_Name OUTPUT CSV_Priority | search CSV_Priority="Low" | table _time, Target_Account_Name, Member_ID, Caller_User_Name,CSV_Priority
This is the search I used
index="windows_server_events" host="server1" EventCode=560 Type="audit success"
|
lookup FileChanges Object_Name OUTPUT csv_host, csv_name
|
search csv_name="*"
|
table _time,host,Object_Name,Client_User_Name,csv_name,csv_host
With this CSV
csv_host,csv_name,Object_Name
server1,folder change test,*E:\Inetpub\*
And this transforms
[FileChanges]
filename = FileChanges.csv
match_type = WILDCARD(Object_Name)
case_sensitive_match = false
Works great, found I had to put this in though
search csv_name="*"
What are the reasons for using the transforms file rather than .csv in search like I was doing?