I have an input lookup file. Say 'ApprovedUsers.csv'. This contains a single field SamAccountName. I want to compare this agains the Account_Name field returned in a Windows Security Eventlog search. I then want to compare the user who logged on per the log against the inputlookup file. If the User is NOT present in the lookup file, then I want it to fire an alert.
My problem is I cannot seem to get the search using a 'NOT' operation against the lookup file. But perhaps there is a way to achieve this type of outcome? I've also done a little reading about search macros? Would that be easier?
I'm open to alternative options or what is the best practice for this.
Thanks!
Dustin
↧