topic Re: Splunk Enterprise Security: How to retrieve ldap assets information? in Splunk Enterprise Security

Splunk Enterprise Security: How to retrieve ldap assets information?

paola92 — Tue, 29 Sep 2020 12:32:38 GMT

I tried to retrieve assets information of ldap so I used the search (I know that I must not to use search nt_host...)

"|ldapsearch domain=XXX search="(&(objectClass=computer))"
|eval city=""
|eval country=""
|eval priority="medium"
|eval category="normal"
|eval dns=dNSHostName
|eval owner=managedBy
|rex field=sAMAccountName mode=sed "s/\$//g"
|eval nt_host=sAMAccountName |search nt_host=segurinfo 
|makemv delim="," dn
|rex field=dn "(OU|CN)\=(?.+)"
|table Source_Address,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av"

and I have the table but I the IP is not because I do not use static IP so I think is possible to use the security logs that I have but I do not how can i correlate it.

I used the next search for nt_host=segurinfo: index="wineventlog" Workstation_Name=segurinfo and I see in the logs the information that I need.

Re: Splunk Enterprise Security: How to retrieve ldap assets information?

starcher — Wed, 08 Feb 2017 14:49:18 GMT

You should output your ldap search to a csv lookup table then tell ES that is a new assets lookup table. It will then consume it on changes and keep the auto lookups that exist within ES populated and working. You can find the instructions on using asset tables and a macro to ensure they have gotten ingested at http://docs.splunk.com/Documentation/ES/4.6.0/User/AssetandIdentityLookupReference

Re: Splunk Enterprise Security: How to retrieve ldap assets information?

starcher — Sat, 11 Feb 2017 12:44:42 GMT

I just re-read your post. I am sorry I missed the DHCP reference. I would not write the table with IP if you use DHCP. I would write only with the computer names. Then additionally make an asset table with the DHCP ranges but without computer name information. Then at least if the data is IP you will get a category displayed like DHCP-Workstation or however you tag that ip range asset object. And if the match is by name you get the more precise asset information based on your ldap info.

Re: Splunk Enterprise Security: How to retrieve ldap assets information?

aaraneta_splunk — Sat, 11 Mar 2017 18:12:13 GMT

@paola92 - Did the answer provided by starcher help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

Re: Splunk Enterprise Security: How to retrieve ldap assets information?

kagamalai — Sun, 19 Sep 2021 16:11:36 GMT

I used the below query but not searched the computer assets its through the below error message please advise ?

"Error in 'rex' command: Encountered the following error while compiling the regex '(OU|CN)\=(?.+)': Regex: unrecognized character after (? or (?-. "

|ldapsearch domain=XXX search="(&(objectClass=computer))"
|eval city=""
|eval country=""
|eval priority="medium"
|eval category="normal"
|eval dns=dNSHostName
|eval owner=managedBy
|rex field=sAMAccountName mode=sed "s/\$//g"
|eval nt_host=sAMAccountName |search nt_host=segurinfo 
|makemv delim="," dn
|rex field=dn "(OU|CN)\=(?.+)"
|table Source_Address,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av