Splunk Search

How to create and trigger an alert when specific Active Directory users from a CSV file get locked out?

rashid47010
Communicator

I have one CSV file containing important user names. I want to create an alert/correlation rule whenever the user from that specific list get locked out.

0 Karma
1 Solution

sundareshr
Legend

Create a lookup table for the csv file you have. The csv file should have a column name same as the field in event log with user id. I assume it is Account_Name.

http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources

Then a query like this should give you the alert

index=windowslogs EventId=4740 [|inputlookup userlist.csv | table Account_Name] 

Setup an alert if count>0

http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Aboutalerts

View solution in original post

0 Karma

sundareshr
Legend

Create a lookup table for the csv file you have. The csv file should have a column name same as the field in event log with user id. I assume it is Account_Name.

http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources

Then a query like this should give you the alert

index=windowslogs EventId=4740 [|inputlookup userlist.csv | table Account_Name] 

Setup an alert if count>0

http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Aboutalerts

0 Karma

gfreitas
Builder

To achieve that you should create a lookup. A lookup will compare a field from a file and add some data to your current data indexed in splunk. Your csv should have at least the username field and another field, for exemple vip=yes. With that you will compare logs from AD and lookup them and find if a user is vip or not.
You can find more information on: http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...