[generate_user_access_lookup]

action.email.useNSSubject = 1

action.keyindicator.invert = 0

action.makestreams.param.verbose = 0

action.nbtstat.param.verbose = 0

action.notable.param.verbose = 0

action.nslookup.param.verbose = 0

action.ping.param.verbose = 0

action.risk.forceCsvResults = 1

action.risk.param.verbose = 0

action.send2uba.param.verbose = 0

action.threat_add.param.verbose = 0

alert.track = 0

cron_schedule = 0 6 * * *

description = This search will generate a lookup about the access to devsecops environment and write it to a lookup file

dispatch.earliest_time = -30d@d

dispatch.latest_time = now

display.events.fields = ["host","source","sourcetype","sc4s_container","sc4s_destport","sc4s_fromhostip","sc4s_proto","sc4s_syslog_facility","sc4s_syslog_format","sc4s_syslog_severity","sc4s_vendor_product","data.permission","permission","old_permission","user_id","action","app","user_agent","url","status","category","signature","COMMAND","USER","user"]

display.general.timeRangePicker.show = 0

display.general.type = statistics

display.page.search.mode = verbose

display.page.search.tab = statistics

display.visualizations.charting.chart = line

display.visualizations.show = 0

enableSched = 1

request.ui_dispatch_app = github_app_for_splunk

request.ui_dispatch_view = search

search = | pivot Change Auditing_Changes earliest(_time) AS "first_access" latest(_time) as "last_access" SPLITROW action SPLITROW command SPLITROW user SPLITROW object SPLITROW change_type SPLITROW object_category SPLITROW dvc\

| table first_access,last_access,user,command,action,dvc\

| outputlookup last_access_by_user