I have created a search that searches for any Windows logon events in my environment.
index=windows EventID=528 OR EventID=540 OR EventID=4624 OR EventID=4776
| dedup Computer,IpAddress,TargetUserName
| rename Computer as DestinationHost, IpAddress as SourceIP, TargetUserName as SourceUsername
| table _time, SourceIP, SourceUsername, DestinationHost
I also have an inputlookup named identities.csv which contains Active Directory information for users, including a field labeled "department".
How can I create a subsearch that takes the above search, checks identities.csv for the username and department, and excludes results where the user is in a specific department?
... View more