I have logs being stored in json that shows accounts being given access to data. I need to validate that the accts are valid. I am trying to run a subsearch that will get the list of accounts(userId) from the logged event and validate against a list of known accts. I was planning on using a search/subsearch structure but I am having issues getting the acct list(userId) out of the json structure
json strusture -
eventID: 4321-4321-4321-1234
requestParameters: { [-]
attributeType: CREATE_VOLUME_PERMISSION
createVolumePermission: { [-]
add: { [-]
items: [ [-]
{ [-]
userId: 1234567889
}
{ [-]
userId: 0987654321
}
]
}
}
Ideally I would like to pass the eventId and userId to the main search for each userId and report those details if the acct is not found in my list of known accts
↧