Update savedsearches.conf

derkkila · derkkila · commit 997feb989c51 · 2022-06-28T11:41:28.000-04:00
Add generate_user_access_lookup saved search
diff --git a/github_app_for_splunk/default/savedsearches.conf b/github_app_for_splunk/default/savedsearches.conf
@@ -124,3 +124,34 @@ request.ui_dispatch_view = search
 search = | mstats avg(_value) as "Avg" WHERE `github_collectd` AND metric_name="load.longterm" AND host="*" span=10s BY metric_name, host\
 | stats avg(Avg) as "Load" by metric_name, host\
 | xyseries host metric_name Load
+
+[generate_user_access_lookup]
+action.email.useNSSubject = 1
+action.keyindicator.invert = 0
+action.makestreams.param.verbose = 0
+action.nbtstat.param.verbose = 0
+action.notable.param.verbose = 0
+action.nslookup.param.verbose = 0
+action.ping.param.verbose = 0
+action.risk.forceCsvResults = 1
+action.risk.param.verbose = 0
+action.send2uba.param.verbose = 0
+action.threat_add.param.verbose = 0
+alert.track = 0
+cron_schedule = 0 6 * * *
+description = This search will generate a lookup about the access to devsecops environment and write it to a lookup file
+dispatch.earliest_time = -30d@d
+dispatch.latest_time = now
+display.events.fields = ["host","source","sourcetype","sc4s_container","sc4s_destport","sc4s_fromhostip","sc4s_proto","sc4s_syslog_facility","sc4s_syslog_format","sc4s_syslog_severity","sc4s_vendor_product","data.permission","permission","old_permission","user_id","action","app","user_agent","url","status","category","signature","COMMAND","USER","user"]
+display.general.timeRangePicker.show = 0
+display.general.type = statistics
+display.page.search.mode = verbose
+display.page.search.tab = statistics
+display.visualizations.charting.chart = line
+display.visualizations.show = 0
+enableSched = 1
+request.ui_dispatch_app = github_app_for_splunk
+request.ui_dispatch_view = search
+search = | pivot Change Auditing_Changes earliest(_time) AS "first_access" latest(_time) as "last_access" SPLITROW action SPLITROW command SPLITROW user SPLITROW object SPLITROW change_type SPLITROW object_category SPLITROW dvc\
+| table first_access,last_access,user,command,action,dvc\
+| outputlookup last_access_by_user
