Solved: Lookup Search

sumit29 · ‎05-25-2015

Dear Experts,

I need to write the custom search where user x can login from 5 sources , I am thinking to use lookup( 5 allowed Source IP) , Suppose if user login not from this lookup table(alloweduser) where field name IP. I should get a alert .

woodcock · ‎05-25-2015

I would use an eventtype and then everyone can use the same one (referentially) and you have only 1 place to modify it such that the change is instantly effective everywhere; use eventtypes.conf like this:

[USER_X_DISALLOWED LOGINS]
search = user="X" IP!="A" IP!="B" IP!="C" IP!="D" IP!="E"

[DISALLOWED LOGINS]
search = IP!="F" IP!="G" IP!="H" IP!="I" IP!="J"

Then you search like this:

eventtype=USER_X_DISALLOWED LOGINS

View solution in original post

woodcock · ‎05-25-2015

I would use an eventtype and then everyone can use the same one (referentially) and you have only 1 place to modify it such that the change is instantly effective everywhere; use eventtypes.conf like this:

[USER_X_DISALLOWED LOGINS]
search = user="X" IP!="A" IP!="B" IP!="C" IP!="D" IP!="E"

[DISALLOWED LOGINS]
search = IP!="F" IP!="G" IP!="H" IP!="I" IP!="J"

Then you search like this:

eventtype=USER_X_DISALLOWED LOGINS

Lookup Search

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases