Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create and trigger an alert when specific Active Directory users from a CSV file get locked out?

rashid47010
Communicator
‎07-12-2016 12:50 PM

I have one CSV file containing important user names. I want to create an alert/correlation rule whenever the user from that specific list get locked out.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-12-2016 03:04 PM

Create a lookup table for the csv file you have. The csv file should have a column name same as the field in event log with user id. I assume it is Account_Name.

http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources

Then a query like this should give you the alert

index=windowslogs EventId=4740 [|inputlookup userlist.csv | table Account_Name]

Setup an alert if count>0

http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Aboutalerts

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-12-2016 03:04 PM

Create a lookup table for the csv file you have. The csv file should have a column name same as the field in event log with user id. I assume it is Account_Name.

http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources

Then a query like this should give you the alert

index=windowslogs EventId=4740 [|inputlookup userlist.csv | table Account_Name]

Setup an alert if count>0

http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Aboutalerts

0 Karma
Reply
Solved! Jump to solution

gfreitas
Builder
‎07-12-2016 01:25 PM

To achieve that you should create a lookup. A lookup will compare a field from a file and add some data to your current data indexed in splunk. Your csv should have at least the username field and another field, for exemple vip=yes. With that you will compare logs from AD and lookup them and find if a user is vip or not.
You can find more information on: http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...