Solved: How to create and trigger an alert when specific A...

rashid47010 · ‎07-12-2016

I have one CSV file containing important user names. I want to create an alert/correlation rule whenever the user from that specific list get locked out.

sundareshr · ‎07-12-2016

Create a lookup table for the csv file you have. The csv file should have a column name same as the field in event log with user id. I assume it is Account_Name.

http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources

Then a query like this should give you the alert

index=windowslogs EventId=4740 [|inputlookup userlist.csv | table Account_Name]

Setup an alert if count>0

http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Aboutalerts

View solution in original post

sundareshr · ‎07-12-2016

Create a lookup table for the csv file you have. The csv file should have a column name same as the field in event log with user id. I assume it is Account_Name.

http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources

Then a query like this should give you the alert

index=windowslogs EventId=4740 [|inputlookup userlist.csv | table Account_Name]

Setup an alert if count>0

http://docs.splunk.com/Documentation/Splunk/6.4.1/Alert/Aboutalerts

gfreitas · ‎07-12-2016

To achieve that you should create a lookup. A lookup will compare a field from a file and add some data to your current data indexed in splunk. Your csv should have at least the username field and another field, for exemple vip=yes. With that you will compare logs from AD and lookup them and find if a user is vip or not.
You can find more information on: http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources

How to create and trigger an alert when specific Active Directory users from a CSV file get locked out?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life