I have a lookup table that consists of AD groups with the fields Group, is_privileged, and Type. I need to create a correlation search that looks at my windows events for EventID=4728 OR EventID=4732 OR EventID=4756 and if the "Group_Name" field in the event matches the Group field in the lookup table, I want it to show results.
This is what I have but it is not showing the events that match. Any advice?
index=windows EventID=4728 OR EventID=4732 OR EventID=4756 | lookup AD_groups Group AS Group_Name OUTPUT is_privileged AS privileged | where is_privileged="True"
index=windows EventID=4728 OR EventID=4732 OR EventID=4756 | lookup AD_groups Group AS Group_Name OUTPUT is_privileged AS privileged | where is_privileged="True"
I think you renamed is_privileged
to privileged
and then searched for is_privileged
instead of privileged
.
As a side note: debugging line by line is a really powerful way to figure out where your bugs are in Splunk code, since SPL is a unix based language the output of one search goes directly into the input of another. So to find a bug in the last pipe, go pipe by pipe until you find the bug. In your case, if you run the search just after the lookup command you would probably see values for privileged, which could clue that the values are there and the field name might be incorrect.
Hope this helps!
EDIT: I prefer search
for string comparison, as that's it's core functionality and I'm less likely to hit a mismatch in comparisons. where
is more commonly used for field comparisons, i.e. field1 = field2, field1 > field2
etc