Re: Match values from different fields in lookup a...

laseeno · ‎11-07-2019

I've spent considerable time trying to get this to work and have searched topics but nothing appears to get me where I am trying to go.

I'm trying to pull values from a field in a search and then see if they exist in a lookuptable.

The search is like:
inex=win sourcetype=windows:security logs EventType=4722

The value I am interested in here is under the field Target_Account_Account_Name

The Lookup
I have a loookup table ad_dump.csv that stores AD Attributes. The fields I am interested in here are Enabled and SamAccountName.

Objective
I am trying to find users who's account was disabled and recently enabled. There may be an easier way to accomplish this and I am open to suggestions but where I am at this is what I am trying to do.

Run the search to pull the field Target_Account_Account_Name and see if that identical value exists in the SamAccountName field from the lookup if their Enabled field is equal to False.

Any help is greatly appreciated!

woodcock · ‎11-07-2019

Like this?

index=windows sourcetype=windows:security logs EventType=4722
| lookup dump.csv SamAccountName AS Target_Account_Account_Name OUTPUT Enabled

laseeno · ‎11-07-2019

Thank you! That was almost exactly what I needed. I just added a filter for retrieving the False field.

Code

index=win sourcetype="WinEventLog:Security" EventCode=4722  
| lookup ad_dump.csv SamAccountName AS Target_Account_Account_Name OUTPUT Enabled
| search Enabled=False

Match values from different fields in lookup and field in search

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases